Glossary Guides

What Is HSTS

Learn what HSTS is, Strict-Transport-Security headers, max-age, includeSubDomains, preload, and safe rollout.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 5 min read Beginner

Introduction

HSTS is sent by the server in HTTPS responses, not in DNS. The browser remembers the policy for max-age seconds.

Optional directives include includeSubDomains and preload, which increase scope and commitment.

Quick answer

Quick answer

HSTS (HTTP Strict Transport Security) is a response header that tells browsers to use HTTPS only for future visits to your domain. It reduces downgrade attacks but should only be enabled after HTTPS and redirects work correctly — mistakes can lock users out of HTTP recovery paths.

What it means

The Strict-Transport-Security header instructs supporting browsers to never use plain HTTP for the site during the max-age period.

  • max-age — how long browsers remember HTTPS-only policy (seconds)
  • includeSubDomains — applies HSTS to all subdomains
  • preload — optional list for built-in browser HSTS (irreversible easily)
  • Only send over HTTPS responses
  • Requires working valid SSL first

Where you see this:

  • Production websites after HTTPS migration
  • Security hardening for login and admin areas
  • Compliance and security best practice programs
  • Preventing SSL stripping attacks
Example
Strict-Transport-Security: max-age=31536000; includeSubDomains

Enable HSTS only after HTTPS works reliably on all pages you include. includeSubDomains affects every subdomain — each must support HTTPS.

Why this matters

Why this matters

HSTS protects users from being downgraded to HTTP. Misconfigured HSTS with broken HTTPS on a subdomain can cause hard-to-fix access problems until max-age expires.

How to check it

  1. Confirm HTTPS works on all pages with SSL Checker.
  2. Run HTTP Header Checker on https://yourdomain.com.
  3. Look for Strict-Transport-Security header and max-age value.
  4. Test http:// URLs redirect cleanly to HTTPS first.
  5. Add HSTS only after redirects and certificates are stable.

Check HSTS header

Use HTTP Header Checker to see whether Strict-Transport-Security is sent on HTTPS responses.

Run HTTP Header Check →

Common mistakes

Enabling HSTS before SSL is stable

High

Browsers refuse HTTP fallback while cert or redirect is broken.

Next step: Fix HTTPS fully, then add HSTS with short max-age for testing.

includeSubDomains breaks HTTP-only subdomains

High

Subdomain without HTTPS becomes unreachable over HTTP.

Next step: Secure all subdomains first or omit includeSubDomains.

Submitting to preload without understanding

High

Preload is hard to undo and affects all users globally.

Next step: Test with short max-age locally before considering preload.

Example

HSTS header example
Strict-Transport-Security: max-age=31536000; includeSubDomains

; Start testing with shorter max-age:
Strict-Transport-Security: max-age=300

Frequently asked questions

Is HSTS the same as an HTTPS redirect?

No. Redirects send each request to HTTPS. HSTS tells the browser to skip HTTP attempts on future visits.

Can I set HSTS in DNS?

No. HSTS is an HTTP response header from your web server or CDN.

What max-age should I use?

Start with 300 seconds for testing. Production often uses 31536000 (one year) when confident.

Does HSTS replace SSL certificates?

No. HSTS requires valid HTTPS and certificates to work safely.

Use these free tools to verify your configuration after applying changes.

Browse all Glossary guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.