HSTS Guide — Strict-Transport-Security Explained
Strict-Transport-Security (HSTS) tells browsers to always connect via HTTPS. Learn how to configure it correctly, avoid common pitfalls, and submit to browser preload lists.
Security Headers Generator
Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.
Strict-Transport-Security (HSTS)
X-Content-Type-Options
Always set to nosniff — no configuration needed.
X-Frame-Options
Referrer-Policy
Permissions-Policy
Content-Security-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Embedder-Policy
Cross-Origin-Resource-Policy
X-XSS-Protection
Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.
X-DNS-Prefetch-Control
X-Permitted-Cross-Domain-Policies
Security Score
COutput Format
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self) X-XSS-Protection: 0
What is HSTS?
HTTP Strict-Transport-Security (HSTS) is a response header that instructs browsers to only connect to your site over HTTPS for a specified duration. Once a browser receives the HSTS header, it automatically converts all HTTP requests to HTTPS — even if the user types http:// or clicks an HTTP link. This prevents SSL-stripping attacks where an attacker downgrades connections from HTTPS to HTTP.
Configuring max-age
The max-age directive specifies how long (in seconds) the browser should remember to only use HTTPS. Start with a short value (e.g., 300 seconds) to test, then increase to 31536000 (1 year) or 63072000 (2 years) for production. Once set, you cannot easily undo HSTS — browsers will refuse HTTP connections until max-age expires. The minimum recommended value for preload submission is 31536000.
HSTS preload lists
Browser preload lists (hstspreload.org) hardcode HSTS for your domain into the browser itself, so even the first visit is protected. Requirements: valid certificate, redirect HTTP to HTTPS, serve HSTS on the root domain with max-age >= 31536000, includeSubDomains, and preload directives. Removal from preload lists can take months, so only submit when you are fully committed to HTTPS.
Frequently Asked Questions
Can I undo HSTS once it is set?
You can set max-age=0 to tell browsers to stop enforcing HSTS, but users must visit your site again over HTTPS to receive this updated header. If you are on a preload list, removal takes weeks to months. Always test with short max-age values first.
Should I use includeSubDomains with HSTS?
Yes, if all your subdomains support HTTPS. This prevents attackers from using insecure subdomains to set cookies or perform downgrade attacks. It is required for HSTS preload submission.
Does HSTS affect performance?
HSTS improves performance by eliminating HTTP-to-HTTPS redirects after the first visit. The browser upgrades connections locally without making the initial HTTP request, saving a round trip.