Crawlsonar
Security

HSTS (HTTP Strict Transport Security)

Also known as: Strict-Transport-Security

A setting that tells browsers to only ever open your site over the secure HTTPS connection — never plain, interceptable HTTP.

In plain English

Think of HTTPS as a sealed envelope and plain HTTP as a postcard anyone along the way can read. Even when your site prefers the sealed envelope, a visitor's very first knock on the door often goes out as a postcard — and someone on the same café or hotel Wi‑Fi can grab it and keep the whole conversation on postcards. HSTS is a note the browser remembers that says: “for this site, only ever use the sealed envelope.”

Without it, that first-request gap can be used to steal logins and cookies. With it, the browser silently upgrades every visit to HTTPS from then on, so there's nothing to intercept.

How to fix / set it up

  1. Make sure your whole site works over HTTPS with a valid certificate.
  2. Add Strict-Transport-Security: max-age=31536000; includeSubDomains at your web server or CDN.
  3. Once you're confident, consider adding preload and submitting at hstspreload.org.

HSTS CheckerSecurity Headers Generator

The technical detail

HSTS is delivered by the Strict-Transport-Security response header, e.g. max-age=31536000; includeSubDomains; preload. max-age is how long (seconds) the browser enforces HTTPS-only; includeSubDomains extends it to every subdomain; preload opts into the browser-baked preload list so even the first-ever request is protected.

The header is only honoured when it arrives over HTTPS. max-age=0 switches HSTS off. Preloading is powerful but slow to reverse, so only enable it once every subdomain reliably serves HTTPS.

FAQ

Is HSTS safe to turn on?

Yes, if your site fully works over HTTPS. Be careful with includeSubDomains and preload — enable them only once every subdomain serves HTTPS, because they're slow to undo.

What max-age should I use?

At least 31536000 seconds (one year). Start shorter if cautious, then raise it.

Related

← All topics in the knowledge base