← Back to Security Headers

Strict-Transport-Security

Forces browsers to use HTTPS connections, preventing protocol downgrade attacks.

HSTS

Purpose

HSTS prevents man-in-the-middle attacks by ensuring browsers always connect via HTTPS, even if the user types HTTP.

Implementation

Add the header to all HTTPS responses:

```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```

Examples

  • max-age=31536000; includeSubDomains; preload
  • max-age=31536000; includeSubDomains
  • max-age=86400

Best Practices

  • Use max-age of at least 31536000 (1 year)
  • Include includeSubDomains for all subdomains
  • Consider preload for public HSTS preload list
  • Only send over HTTPS connections

Common Mistakes

  • Sending HSTS header over HTTP
  • Using too short max-age values
  • Not including includeSubDomains
  • Missing preload directive when eligible

Related Headers

Content-Security-PolicyX-Frame-Options

References

Test Your Configuration

Run a free security scan to check if HSTS is properly configured on your site.