HSTSHTTPSSSL

What Is HSTS and Why Your Website Needs It in 2026

WebSentry Team
· · 6 min read

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a security mechanism that tells web browsers to only interact with your website using HTTPS connections. Once a browser receives the HSTS header from your server, it will automatically upgrade all future HTTP requests to HTTPS — even if the user types http:// in the address bar.

Why HSTS Matters

Without HSTS, even if you have SSL/TLS configured, your site is vulnerable to:

  • SSL stripping attacks — An attacker intercepts the initial HTTP request before the redirect to HTTPS happens, downgrading the connection
  • Cookie hijacking — Session cookies sent over the unencrypted initial HTTP request can be intercepted
  • Man-in-the-middle attacks — The brief window between HTTP and HTTPS redirect is exploitable

How HSTS Works

When your server responds with the HSTS header, the browser remembers it for the specified duration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Here's what each directive does:

  • max-age=31536000 — Browser remembers to use HTTPS for 1 year (in seconds)
  • includeSubDomains — Applies to all subdomains too (api.example.com, blog.example.com)
  • preload — Allows inclusion in the HSTS Preload List maintained by browsers

The HSTS Preload List

The preload list is a list of domains hardcoded into Chrome, Firefox, Safari, and Edge that should always use HTTPS. This eliminates even the first-visit vulnerability.

To qualify for preloading:

  1. Serve a valid SSL certificate
  2. Redirect HTTP to HTTPS on the same host
  3. Set max-age to at least 31536000 (1 year)
  4. Include includeSubDomains and preload directives
  5. Submit at hstspreload.org

How to Enable HSTS

Nginx

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Apache

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Cloudflare

Enable HSTS in the Cloudflare dashboard under SSL/TLS → Edge Certificates → HTTP Strict Transport Security.

HSTS and SEO

Google has confirmed that HTTPS is a ranking factor. HSTS ensures your site always serves over HTTPS, which:

  • Prevents duplicate content issues (HTTP and HTTPS versions)
  • Improves page load speed (skips HTTP→HTTPS redirect)
  • Boosts trust signals for search engines

Check Your HSTS Configuration

Run a free WebSentry audit to verify your HSTS header is properly configured. The scanner checks for correct max-age values, subdomain coverage, and preload readiness.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
← Previous
How to Fix Missing Security Headers on Your Website
Next →
Website Security Checklist: 15 Things to Check Before Launch