HSTS
SecurityHSTS is a web security policy that tells browsers to always use HTTPS for a domain, preventing protocol downgrade attacks and reducing the risk of SSL stripping on insecure networks. It is enabled by sending a Strict-Transport-Security response header with a max-age value, and optionally applying the rule to subdomains and allowing inclusion in browser preload lists.
How It Works
HSTS (HTTP Strict Transport Security) is enforced by the browser after it receives the Strict-Transport-Security header over a valid HTTPS connection. The header includes a max-age directive (how long, in seconds, the browser should remember the rule) and can include includeSubDomains to apply the policy to all subdomains. Once stored, the browser automatically upgrades future requests from http:// to https:// and refuses to proceed if the HTTPS connection is invalid (for example, due to a certificate error).
Because HSTS is a browser-side memory of your site policy, it changes the failure mode: instead of allowing a user to click through warnings or fall back to HTTP, the browser blocks access until HTTPS is correctly configured. For first-time visitors, HSTS only takes effect after the first successful HTTPS visit unless the domain is in an HSTS preload list, which is a list baked into major browsers. Preloading typically requires meeting strict requirements, such as redirecting all HTTP traffic to HTTPS and serving HTTPS on the base domain and relevant subdomains.
Why It Matters for Web Hosting
HSTS affects how safely and reliably users reach your site, so it is closely tied to hosting features like SSL/TLS management, automatic certificate renewal, and correct redirect handling. When comparing hosting plans, look for easy HTTPS enforcement at the server or control panel level, support for setting response headers (via Nginx/Apache config or .htaccess), and tooling to avoid mixed content. A misconfigured certificate or redirect loop can become a hard outage for returning visitors once HSTS is cached.
Common Use Cases
- Forcing HTTPS across a site to prevent downgrade and SSL stripping attacks
- Hardening login, checkout, and account areas where credentials or tokens are used
- Applying HTTPS requirements to all subdomains with includeSubDomains
- Supporting compliance and security baselines that require strict transport protection
- Preparing a domain for HSTS preloading after verifying redirects and certificate coverage
HSTS vs HTTPS Redirects
An HTTPS redirect (301/302 from HTTP to HTTPS) is a server-side instruction that still allows the initial HTTP request to happen, which can be intercepted on hostile networks. HSTS is a browser-enforced rule that prevents the HTTP request from being made at all after the policy is learned (or preloaded). In practice, you typically use both: redirects to move traffic to HTTPS, and HSTS to make HTTPS mandatory for subsequent visits.