What Is HSTS
Learn what HSTS is, Strict-Transport-Security headers, max-age, includeSubDomains, preload, and safe rollout.
Introduction
HSTS is sent by the server in HTTPS responses, not in DNS. The browser remembers the policy for max-age seconds.
Optional directives include includeSubDomains and preload, which increase scope and commitment.
Quick answer
HSTS (HTTP Strict Transport Security) is a response header that tells browsers to use HTTPS only for future visits to your domain. It reduces downgrade attacks but should only be enabled after HTTPS and redirects work correctly — mistakes can lock users out of HTTP recovery paths.
What it means
The Strict-Transport-Security header instructs supporting browsers to never use plain HTTP for the site during the max-age period.
- max-age — how long browsers remember HTTPS-only policy (seconds)
- includeSubDomains — applies HSTS to all subdomains
- preload — optional list for built-in browser HSTS (irreversible easily)
- Only send over HTTPS responses
- Requires working valid SSL first
Where you see this:
- Production websites after HTTPS migration
- Security hardening for login and admin areas
- Compliance and security best practice programs
- Preventing SSL stripping attacks
Strict-Transport-Security: max-age=31536000; includeSubDomains
Enable HSTS only after HTTPS works reliably on all pages you include. includeSubDomains affects every subdomain — each must support HTTPS.
Why this matters
HSTS protects users from being downgraded to HTTP. Misconfigured HSTS with broken HTTPS on a subdomain can cause hard-to-fix access problems until max-age expires.
How to check it
- Confirm HTTPS works on all pages with SSL Checker.
- Run HTTP Header Checker on https://yourdomain.com.
- Look for Strict-Transport-Security header and max-age value.
- Test http:// URLs redirect cleanly to HTTPS first.
- Add HSTS only after redirects and certificates are stable.
Check HSTS header
Use HTTP Header Checker to see whether Strict-Transport-Security is sent on HTTPS responses.
Common mistakes
Enabling HSTS before SSL is stable
HighBrowsers refuse HTTP fallback while cert or redirect is broken.
Next step: Fix HTTPS fully, then add HSTS with short max-age for testing.
includeSubDomains breaks HTTP-only subdomains
HighSubdomain without HTTPS becomes unreachable over HTTP.
Next step: Secure all subdomains first or omit includeSubDomains.
Submitting to preload without understanding
HighPreload is hard to undo and affects all users globally.
Next step: Test with short max-age locally before considering preload.
Example
Strict-Transport-Security: max-age=31536000; includeSubDomains
; Start testing with shorter max-age:
Strict-Transport-Security: max-age=300
Frequently asked questions
Is HSTS the same as an HTTPS redirect?
No. Redirects send each request to HTTPS. HSTS tells the browser to skip HTTP attempts on future visits.
Can I set HSTS in DNS?
No. HSTS is an HTTP response header from your web server or CDN.
What max-age should I use?
Start with 300 seconds for testing. Production often uses 31536000 (one year) when confident.
Does HSTS replace SSL certificates?
No. HSTS requires valid HTTPS and certificates to work safely.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Glossary guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!