← Back to TLS Topics

HTTP Strict Transport Security (HSTS)

Implementing HSTS to force HTTPS connections and prevent protocol downgrade attacks.

HTTP Strict Transport Security (HSTS)


HSTS is a security feature that forces browsers to use HTTPS connections, preventing protocol downgrade and man-in-the-middle attacks.


How HSTS Works


When a browser receives an HSTS header:

1. It remembers the domain requires HTTPS

2. All future requests use HTTPS automatically

3. Even HTTP links are upgraded to HTTPS

4. The policy persists for the max-age duration


HSTS Header Format


Strict-Transport-Security: max-age=31536000; includeSubDomains; preload


Directives


  • **max-age**: How long to remember (in seconds)
  • **includeSubDomains**: Apply to all subdomains
  • **preload**: Eligible for browser preload lists

    • Implementation


    Nginx

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


    Apache

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


    HSTS Preload


    Submit your domain to hstspreload.org for:

  • Protection before first visit
  • Inclusion in browser preload lists
  • Maximum security coverage

    • Key Points

    • Forces HTTPS connections
    • Prevents protocol downgrade attacks
    • Requires proper HTTPS setup first
    • Can be preloaded in browsers
    • Persists for max-age duration

    Best Practices

    • Use max-age of at least 1 year
    • Include includeSubDomains
    • Consider preload for public sites
    • Only send over HTTPS
    • Test before enabling

    Common Issues

    • Sending HSTS over HTTP
    • Too short max-age values
    • Not including subdomains
    • Breaking mixed content
    • Missing preload when eligible

    Related Topics

    CertificatesProtocolsPerformance

    Test Your TLS Configuration

    Run a free security scan to analyze your TLS/SSL configuration and get recommendations.