HSTS Explained: Strict Transport Security for Browsers
Learn what HSTS is, how the Strict-Transport-Security header works, and how to enable it safely without breaking HTTPS access.
Introduction
HSTS, or HTTP Strict Transport Security, is a browser security policy that tells browsers to use HTTPS automatically for a domain after they have visited it securely. When HSTS is active, the browser upgrades future HTTP requests to HTTPS before contacting the website.
HSTS can improve security, but it should be enabled only after HTTPS is stable. If SSL, redirects, subdomains or CDN configuration are not ready, HSTS can make problems harder to recover from because browsers may refuse to use HTTP fallback.
Quick answer
HSTS is a response header that tells browsers to always use HTTPS for your domain for a defined time. It can protect against accidental HTTP access, but it should only be enabled after SSL, redirects, root/www and subdomains work correctly.
What is HSTS?
HSTS stands for HTTP Strict Transport Security. It is enabled with the Strict-Transport-Security HTTP response header.
Strict-Transport-Security: max-age=31536000; includeSubDomains
This tells compatible browsers to remember that the site should be accessed only over HTTPS for the configured time.
HSTS is enforced by browsers. It is not a DNS record and it does not install an SSL certificate.
How HSTS works
- A visitor opens the website over HTTPS.
- The server sends a Strict-Transport-Security header.
- The browser stores the HSTS policy.
- On future visits, the browser automatically uses HTTPS.
- If HTTPS is broken, the browser may block access instead of falling back to HTTP.
HSTS helps after the browser has learned the policy. HSTS preload can apply before the first visit, but preload is an advanced commitment.
Header directives
max-age
How long the browser should remember the HSTS policy, in seconds. Example: max-age=31536000
includeSubDomains
Applies the HSTS policy to all subdomains. Example: includeSubDomains
preload
Signals intent to be included in browser preload lists. Example: preload
The most important directive is max-age. includeSubDomains and preload should be added only when you are confident all subdomains support HTTPS.
Safe rollout
Do not start with a very long max-age if you are unsure. Roll out HSTS gradually.
Testing:
Strict-Transport-Security: max-age=300
Short trial:
Strict-Transport-Security: max-age=86400
Longer period:
Strict-Transport-Security: max-age=2592000
Production:
Strict-Transport-Security: max-age=31536000
Only add includeSubDomains after confirming every important subdomain supports HTTPS.
Subdomains and preload
includeSubDomains applies HSTS to all subdomains. This can be useful for security, but risky if any subdomain does not support HTTPS.
preload is even stronger. It can place the domain into browser preload lists so browsers use HTTPS before the first visit.
includeSubDomains risk
A forgotten subdomain may become unreachable if it does not support HTTPS.
preload risk
Removing a domain from preload lists can take time and is not an instant rollback.
Do not use preload unless HTTPS is stable across the entire domain and subdomain structure.
Why this matters
HSTS matters because it reduces the chance that users access the insecure HTTP version of a site. It helps protect against protocol downgrade risks and accidental insecure links after HTTPS is working.
However, HSTS is not a replacement for SSL setup. It depends on valid HTTPS, clean redirects and correct certificate coverage.
How to check HSTS
Use HTTP Header Checker to inspect whether the Strict-Transport-Security header is present on HTTPS responses.
When checking HSTS, review
These seven checks help confirm HSTS is configured correctly.
Header presence
Confirm Strict-Transport-Security is sent on HTTPS pages.
max-age value
Check whether the duration is short, medium or long.
includeSubDomains
Confirm whether the policy applies to all subdomains.
preload
Check whether preload is present intentionally.
HTTP behavior
Confirm HTTP redirects to HTTPS correctly.
SSL status
Confirm HTTPS works before relying on HSTS.
CDN/proxy behavior
Confirm the header is added consistently at the edge or origin.
Check HSTS header
Use HTTP Header Checker to verify Strict-Transport-Security and related HTTPS headers.
Common problems
HSTS enabled before HTTPS is stable
HighBrowsers may force HTTPS even when SSL or redirects are broken.
Next step: Fix SSL, redirects and hostname coverage before using long HSTS values.
max-age too long during testing
MediumA long HSTS policy makes rollback harder if something is wrong.
Next step: Start with a short max-age and increase gradually.
includeSubDomains breaks subdomains
HighHSTS applies to subdomains that may not support HTTPS.
Next step: Audit subdomains before enabling includeSubDomains.
preload added too early
HighPreload is difficult to reverse quickly.
Next step: Remove preload until the full HTTPS setup is stable and intentionally prepared.
Header only sent on some pages
MediumHSTS may not be applied consistently across the site.
Next step: Configure the header at the server, CDN or proxy level.
Header sent over HTTP only
LowBrowsers only honor HSTS from secure HTTPS responses.
Next step: Send the header on HTTPS responses and redirect HTTP to HTTPS.
CDN and origin conflict
MediumBoth CDN and origin may add different HSTS headers.
Next step: Choose one layer to manage HSTS consistently.
HSTS expected to fix mixed content
LowHSTS does not automatically fix insecure assets inside pages.
Next step: Fix mixed content separately.
How to enable safely
-
Step 1: Verify SSL certificate
Confirm the certificate is valid for root, www and required subdomains.
-
Step 2: Fix HTTP to HTTPS redirects
Make sure HTTP redirects cleanly to HTTPS without loops or chains.
-
Step 3: Check subdomains
Review whether subdomains support HTTPS before using includeSubDomains.
-
Step 4: Start with short max-age
Use a short duration first, such as 300 or 86400 seconds.
-
Step 5: Monitor for issues
Check browser behavior, redirects, CDN rules and support reports.
-
Step 6: Increase max-age gradually
Move to longer values only after confirming stability.
-
Step 7: Add includeSubDomains only when ready
Use it only if all subdomains are HTTPS-ready.
-
Step 8: Consider preload last
Only use preload after meeting preload requirements and accepting rollback risk.
HSTS examples
Strict-Transport-Security: max-age=300
Strict-Transport-Security: max-age=86400
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
curl -I https://example.com
These examples are illustrative. Do not use includeSubDomains or preload until HTTPS works correctly across the domain and subdomains.
CDN and proxy
If a CDN or reverse proxy is used, HSTS may be added by the CDN edge, origin server or both.
- Whether CDN adds HSTS
- Whether origin adds HSTS
- Whether headers are duplicated
- Whether root and www receive the same policy
- Whether subdomains receive the intended policy
- Whether CDN SSL mode is stable
- Whether redirects work before enabling long max-age
Managing HSTS at the CDN can be clean, but only if CDN HTTPS and origin HTTPS are configured correctly.
Readiness checklist
Before enabling long HSTS
Confirm these items before using a long max-age.
SSL certificate is valid
HTTPS works for the public hostname.
HTTP redirects to HTTPS
No accidental HTTP access path remains.
Root and www are consistent
Canonical hostname strategy is stable.
Important subdomains support HTTPS
Required before includeSubDomains.
No redirect loops exist
CDN, server and app rules agree.
No mixed content warnings remain
Pages load securely over HTTPS.
CDN/proxy SSL is stable
Edge and origin HTTPS are aligned.
max-age rollout plan exists
Start short, increase gradually.
Rollback plan is understood
Know how to reduce max-age if needed.
Preload is not enabled accidentally
Preload requires intentional setup.
Before preload
Confirm these items before submitting to a preload list.
max-age is at least one year
Use max-age=31536000 or longer.
includeSubDomains is enabled
Required for preload eligibility.
HTTPS works on root and subdomains
All covered hostnames are HTTPS-ready.
HTTP redirects to HTTPS
No HTTP-only access remains.
Preload risk is accepted
Removal is not instant.
Removal delay is understood
Browser preload lists update slowly.
Frequently asked questions
What does HSTS do?
HSTS tells browsers to use HTTPS automatically for a domain for a defined period.
Does HSTS install SSL?
No. HSTS requires a working HTTPS setup first.
What is max-age?
max-age is the number of seconds browsers should remember the HSTS policy.
Should I use includeSubDomains?
Only if all important subdomains support HTTPS reliably.
What is HSTS preload?
Preload can put your domain into browser preload lists so HTTPS is used before the first visit. It should be used carefully.
Can HSTS break a website?
Yes, if HTTPS is misconfigured or subdomains are not ready.
Can I disable HSTS immediately?
You can send a shorter or zero max-age, but browsers that already cached a long policy may keep it until it expires. Preload removal can take longer.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!