HTTPS Enforcement
Configure Strict-Transport-Security headers to enforce HTTPS connections. Set max-age, subdomain coverage, and preload eligibility. Read the guide.
How long the browser should remember to only use HTTPS for this site.
The browser enforces HTTPS for 1+ year. Meets all preload list requirements. The most common production setting.
Apply HSTS to all subdomains as well
All subdomains (e.g., api.example.com, cdn.example.com) will also be forced to use HTTPS. Required for preload list submission.
Submit to the HSTS preload list (built into browsers)
Without preload, the browser must visit your site at least once over HTTPS before it starts enforcing HSTS. The very first visit is still vulnerable to downgrade attacks.
max-age is 1+ year. Meets preload list requirements. Strong production configuration.
Even when a site supports HTTPS, the first request often starts as plain HTTP. An attacker on the same network can intercept that request and redirect the user to a spoofed page (an SSL stripping attack). HSTS closes this gap by telling browsers to never use HTTP for your domain. For a deeper explanation, see our HSTS overview.
Start with a short max-age (e.g. 1 hour) and verify that everything on your domain loads correctly over HTTPS. Gradually increase the duration over days or weeks. Once you reach 1 year with includeSubDomains enabled, you can apply for the preload list. Our generator guide covers the full rollout process.
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only connect to your site over HTTPS. Without HSTS, an attacker on the same network can intercept the initial HTTP request and redirect users to a malicious site (an SSL stripping attack). HSTS eliminates this window of vulnerability.
For production sites, a max-age of at least 31536000 (1 year) is recommended. This is also the minimum required for the HSTS preload list. Start with a shorter duration like 1 day or 1 week while testing, then increase once you are confident everything works over HTTPS.
When includeSubDomains is set, the HSTS policy applies to every subdomain of your site. Without it, subdomains like api.example.com or cdn.example.com can still be accessed over HTTP. This directive is required for preload list submission.
The preload list is a registry of domains hardcoded into browsers to always use HTTPS, even on the very first visit. Once submitted and accepted, your domain will be included in Chrome, Firefox, Safari, and other browsers. Removal takes months, so make sure all subdomains support HTTPS before submitting.
You can set max-age to 0 to tell browsers to stop enforcing HSTS. However, any browser that has already cached your HSTS policy will continue enforcing HTTPS until the cached max-age expires. If you are on the preload list, removal requires submitting a request and waiting for a browser release cycle.
HSTS prevents SSL stripping and protocol downgrade attacks, but it does not replace proper TLS configuration. You still need a valid certificate, strong cipher suites, and correct redirect chains. Combine HSTS with other security headers like Content Security Policy for comprehensive protection.
After deploying your HSTS header, run a scan to confirm the browser receives it correctly and check the rest of your security headers while you are at it.
Scan your website