WebSentry
Log inSign up free
All articles
HSTSHTTPSSSL

What Is HSTS and Why Your Website Needs It in 2026

HSTS (HTTP Strict Transport Security) forces browsers to use HTTPS. Learn how it works, how to enable it, and why every website needs it for security and SEO.

WebSentry TeamJanuary 20, 20266 min read

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a security mechanism that tells web browsers to only interact with your website using HTTPS connections. Once a browser receives the HSTS header from your server, it will automatically upgrade all future HTTP requests to HTTPS — even if the user types http:// in the address bar.

Why HSTS Matters

Without HSTS, even if you have SSL/TLS configured, your site is vulnerable to:

  • SSL stripping attacks — An attacker intercepts the initial HTTP request before the redirect to HTTPS happens, downgrading the connection
  • Cookie hijacking — Session cookies sent over the unencrypted initial HTTP request can be intercepted
  • Man-in-the-middle attacks — The brief window between HTTP and HTTPS redirect is exploitable

How HSTS Works

When your server responds with the HSTS header, the browser remembers it for the specified duration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Here's what each directive does:

  • max-age=31536000 — Browser remembers to use HTTPS for 1 year (in seconds)
  • includeSubDomains — Applies to all subdomains too (api.example.com, blog.example.com)
  • preload — Allows inclusion in the HSTS Preload List maintained by browsers

The HSTS Preload List

The preload list is a list of domains hardcoded into Chrome, Firefox, Safari, and Edge that should always use HTTPS. This eliminates even the first-visit vulnerability.

To qualify for preloading:

  1. Serve a valid SSL certificate
  2. Redirect HTTP to HTTPS on the same host
  3. Set max-age to at least 31536000 (1 year)
  4. Include includeSubDomains and preload directives
  5. Submit at hstspreload.org

How to Enable HSTS

Nginx

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Apache

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Cloudflare

Enable HSTS in the Cloudflare dashboard under SSL/TLS → Edge Certificates → HTTP Strict Transport Security.

HSTS and SEO

Google has confirmed that HTTPS is a ranking factor. HSTS ensures your site always serves over HTTPS, which:

  • Prevents duplicate content issues (HTTP and HTTPS versions)
  • Improves page load speed (skips HTTP→HTTPS redirect)
  • Boosts trust signals for search engines

Check Your HSTS Configuration

Run a free WebSentry audit to verify your HSTS header is properly configured. The scanner checks for correct max-age values, subdomain coverage, and preload readiness.

Check your own site

Run a free security scan and see if your site has the issues covered in this article. Results in under 30 seconds.

Run a free scanCreate free account
PreviousHow to Fix Missing Security Headers on Your WebsiteNext Website Security Checklist: 15 Things to Check Before Launch