CQwerty

Blog

HSTS Explained: How to Force HTTPS and Prevent Downgrade Attacks

← Back to blog
2026-04-17·6 min readHSTSHTTPS

What is HSTS?

HTTP Strict Transport Security (HSTS) is a security header that tells browsers to only connect to your site over HTTPS. Once a browser sees the HSTS header, it refuses to load your site over plain HTTP for the duration you specify.

Without HSTS, an attacker on a public Wi-Fi network can intercept the initial HTTP request before it redirects to HTTPS. This is called an SSL stripping attack.

How HSTS works

When your server sends the Strict-Transport-Security header, the browser stores this policy. On every subsequent visit, the browser automatically upgrades HTTP to HTTPS before sending the request. No HTTP request ever leaves the browser.

The header looks like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age sets how long (in seconds) the browser remembers the policy
  • includeSubDomains applies the policy to all subdomains
  • preload signals that you want inclusion in browser preload lists

    • Why HSTS matters

    Prevents SSL stripping

    Without HSTS, attackers can intercept the HTTP-to-HTTPS redirect and serve a fake HTTP version of your site. HSTS eliminates this window completely.

    Protects against mixed content

    If your site accidentally loads a resource over HTTP, HSTS-aware browsers automatically upgrade it to HTTPS.

    Improves SEO signals

    Search engines favor sites with strong security configurations. HSTS is one of the signals that demonstrates proper HTTPS implementation.

    How to enable HSTS

    Apache

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    Nginx

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    Cloudflare

    Enable HSTS in the SSL/TLS settings. Cloudflare lets you set max-age, includeSubDomains, and preload through the dashboard.

    HSTS preloading

    The HSTS preload list is a list of domains hardcoded into browsers. Sites on this list are forced to HTTPS even on the very first visit, before the browser ever sees the HSTS header.

    To qualify for preloading:

  • Serve a valid HTTPS certificate
  • Redirect all HTTP traffic to HTTPS
  • Set max-age to at least 31536000 (1 year)
  • Include the includeSubDomains directive
  • Include the preload directive

    • Submit your domain at hstspreload.org. Removal takes months, so only preload when you are certain all subdomains support HTTPS.

    Common mistakes

  • Setting max-age too low (use at least 1 year for production)
  • Forgetting includeSubDomains (leaves subdomains vulnerable)
  • Enabling HSTS before fixing mixed content (locks users out of broken pages)
  • Preloading before verifying all subdomains work over HTTPS

    • Key takeaways

  • HSTS eliminates the HTTP-to-HTTPS redirect vulnerability
  • Start with a short max-age, then increase once you confirm everything works
  • Preloading provides first-visit protection but is hard to reverse
  • Always test with includeSubDomains before enabling it

    • Check your HSTS configuration now

    ShareTwitterLinkedInEmailRSS

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Check your HSTS