HSTS (HTTP Strict Transport Security)
HSTS (HTTP Strict Transport Security) is a response header that tells browsers to only connect to this domain via HTTPS — never HTTP. Once cached, the browser refuses HTTP connections for the duration of max-age, preventing downgrade attacks and accidental insecure connections.
The problem HSTS solves
HTTPS protects connections, but not the first connection. If a user types example.com, their browser first makes an HTTP request that a network attacker can intercept — before any HTTPS redirect happens. HSTS eliminates this gap after the first visit.
The header
Strict-Transport-Security: max-age=31536000; includeSubDomains
Once the browser receives this, it will refuse HTTP for example.com and all subdomains for 1 year — even if you type http://.
Nginx config
server { listen 443 ssl; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
server { listen 80; return 301 https://$host$request_uri;
}
The preload list — closing the first-visit gap
HSTS only kicks in after the first visit. The preload list bakes your domain into Chrome, Firefox, and Safari so HTTPS is enforced even on the absolute first visit. Submit at hstspreload.org.
Requirements: max-age ≥ 31536000, includeSubDomains, preload directive, all subdomains on HTTPS.
Warning — do not rush
HSTS is a commitment. Once cached, users cannot connect over HTTP for the duration of max-age. If your HTTPS breaks, they will see a hard error with no way around it. Start with max-age=300 (5 minutes) and ramp up slowly.
Check your HSTS preload status →