SSL & HTTPS Guides

HSTS Explained: Strict Transport Security for Browsers

Learn what HSTS is, how the Strict-Transport-Security header works, and how to enable it safely without breaking HTTPS access.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

HSTS, or HTTP Strict Transport Security, is a browser security policy that tells browsers to use HTTPS automatically for a domain after they have visited it securely. When HSTS is active, the browser upgrades future HTTP requests to HTTPS before contacting the website.

HSTS can improve security, but it should be enabled only after HTTPS is stable. If SSL, redirects, subdomains or CDN configuration are not ready, HSTS can make problems harder to recover from because browsers may refuse to use HTTP fallback.

Quick answer

Quick answer

HSTS is a response header that tells browsers to always use HTTPS for your domain for a defined time. It can protect against accidental HTTP access, but it should only be enabled after SSL, redirects, root/www and subdomains work correctly.

What is HSTS?

HSTS stands for HTTP Strict Transport Security. It is enabled with the Strict-Transport-Security HTTP response header.

Example
Strict-Transport-Security: max-age=31536000; includeSubDomains

This tells compatible browsers to remember that the site should be accessed only over HTTPS for the configured time.

HSTS is enforced by browsers. It is not a DNS record and it does not install an SSL certificate.

How HSTS works

  1. A visitor opens the website over HTTPS.
  2. The server sends a Strict-Transport-Security header.
  3. The browser stores the HSTS policy.
  4. On future visits, the browser automatically uses HTTPS.
  5. If HTTPS is broken, the browser may block access instead of falling back to HTTP.

HSTS helps after the browser has learned the policy. HSTS preload can apply before the first visit, but preload is an advanced commitment.

Header directives

max-age

How long the browser should remember the HSTS policy, in seconds. Example: max-age=31536000

includeSubDomains

Applies the HSTS policy to all subdomains. Example: includeSubDomains

preload

Signals intent to be included in browser preload lists. Example: preload

The most important directive is max-age. includeSubDomains and preload should be added only when you are confident all subdomains support HTTPS.

Safe rollout

Do not start with a very long max-age if you are unsure. Roll out HSTS gradually.

Suggested rollout
Testing:
Strict-Transport-Security: max-age=300

Short trial:
Strict-Transport-Security: max-age=86400

Longer period:
Strict-Transport-Security: max-age=2592000

Production:
Strict-Transport-Security: max-age=31536000

Only add includeSubDomains after confirming every important subdomain supports HTTPS.

Subdomains and preload

includeSubDomains applies HSTS to all subdomains. This can be useful for security, but risky if any subdomain does not support HTTPS.

preload is even stronger. It can place the domain into browser preload lists so browsers use HTTPS before the first visit.

includeSubDomains risk

A forgotten subdomain may become unreachable if it does not support HTTPS.

preload risk

Removing a domain from preload lists can take time and is not an instant rollback.

Do not use preload unless HTTPS is stable across the entire domain and subdomain structure.

Why this matters

Why this matters

HSTS matters because it reduces the chance that users access the insecure HTTP version of a site. It helps protect against protocol downgrade risks and accidental insecure links after HTTPS is working.

However, HSTS is not a replacement for SSL setup. It depends on valid HTTPS, clean redirects and correct certificate coverage.

How to check HSTS

Use HTTP Header Checker to inspect whether the Strict-Transport-Security header is present on HTTPS responses.

When checking HSTS, review

These seven checks help confirm HSTS is configured correctly.

Header presence

Confirm Strict-Transport-Security is sent on HTTPS pages.

max-age value

Check whether the duration is short, medium or long.

includeSubDomains

Confirm whether the policy applies to all subdomains.

preload

Check whether preload is present intentionally.

HTTP behavior

Confirm HTTP redirects to HTTPS correctly.

SSL status

Confirm HTTPS works before relying on HSTS.

CDN/proxy behavior

Confirm the header is added consistently at the edge or origin.

Check HSTS header

Use HTTP Header Checker to verify Strict-Transport-Security and related HTTPS headers.

Run Header Check →

Common problems

HSTS enabled before HTTPS is stable

High

Browsers may force HTTPS even when SSL or redirects are broken.

Next step: Fix SSL, redirects and hostname coverage before using long HSTS values.

max-age too long during testing

Medium

A long HSTS policy makes rollback harder if something is wrong.

Next step: Start with a short max-age and increase gradually.

includeSubDomains breaks subdomains

High

HSTS applies to subdomains that may not support HTTPS.

Next step: Audit subdomains before enabling includeSubDomains.

preload added too early

High

Preload is difficult to reverse quickly.

Next step: Remove preload until the full HTTPS setup is stable and intentionally prepared.

Header only sent on some pages

Medium

HSTS may not be applied consistently across the site.

Next step: Configure the header at the server, CDN or proxy level.

Header sent over HTTP only

Low

Browsers only honor HSTS from secure HTTPS responses.

Next step: Send the header on HTTPS responses and redirect HTTP to HTTPS.

CDN and origin conflict

Medium

Both CDN and origin may add different HSTS headers.

Next step: Choose one layer to manage HSTS consistently.

HSTS expected to fix mixed content

Low

HSTS does not automatically fix insecure assets inside pages.

Next step: Fix mixed content separately.

How to enable safely

  1. Step 1: Verify SSL certificate

    Confirm the certificate is valid for root, www and required subdomains.

  2. Step 2: Fix HTTP to HTTPS redirects

    Make sure HTTP redirects cleanly to HTTPS without loops or chains.

  3. Step 3: Check subdomains

    Review whether subdomains support HTTPS before using includeSubDomains.

  4. Step 4: Start with short max-age

    Use a short duration first, such as 300 or 86400 seconds.

  5. Step 5: Monitor for issues

    Check browser behavior, redirects, CDN rules and support reports.

  6. Step 6: Increase max-age gradually

    Move to longer values only after confirming stability.

  7. Step 7: Add includeSubDomains only when ready

    Use it only if all subdomains are HTTPS-ready.

  8. Step 8: Consider preload last

    Only use preload after meeting preload requirements and accepting rollback risk.

HSTS examples

Short test
Strict-Transport-Security: max-age=300
One day
Strict-Transport-Security: max-age=86400
One year
Strict-Transport-Security: max-age=31536000
One year with subdomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
Preload-ready style
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Check with curl
curl -I https://example.com

These examples are illustrative. Do not use includeSubDomains or preload until HTTPS works correctly across the domain and subdomains.

CDN and proxy

If a CDN or reverse proxy is used, HSTS may be added by the CDN edge, origin server or both.

  • Whether CDN adds HSTS
  • Whether origin adds HSTS
  • Whether headers are duplicated
  • Whether root and www receive the same policy
  • Whether subdomains receive the intended policy
  • Whether CDN SSL mode is stable
  • Whether redirects work before enabling long max-age

Managing HSTS at the CDN can be clean, but only if CDN HTTPS and origin HTTPS are configured correctly.

Readiness checklist

Before enabling long HSTS

Confirm these items before using a long max-age.

SSL certificate is valid

HTTPS works for the public hostname.

HTTP redirects to HTTPS

No accidental HTTP access path remains.

Root and www are consistent

Canonical hostname strategy is stable.

Important subdomains support HTTPS

Required before includeSubDomains.

No redirect loops exist

CDN, server and app rules agree.

No mixed content warnings remain

Pages load securely over HTTPS.

CDN/proxy SSL is stable

Edge and origin HTTPS are aligned.

max-age rollout plan exists

Start short, increase gradually.

Rollback plan is understood

Know how to reduce max-age if needed.

Preload is not enabled accidentally

Preload requires intentional setup.

Before preload

Confirm these items before submitting to a preload list.

max-age is at least one year

Use max-age=31536000 or longer.

includeSubDomains is enabled

Required for preload eligibility.

HTTPS works on root and subdomains

All covered hostnames are HTTPS-ready.

HTTP redirects to HTTPS

No HTTP-only access remains.

Preload risk is accepted

Removal is not instant.

Removal delay is understood

Browser preload lists update slowly.

Frequently asked questions

What does HSTS do?

HSTS tells browsers to use HTTPS automatically for a domain for a defined period.

Does HSTS install SSL?

No. HSTS requires a working HTTPS setup first.

What is max-age?

max-age is the number of seconds browsers should remember the HSTS policy.

Should I use includeSubDomains?

Only if all important subdomains support HTTPS reliably.

What is HSTS preload?

Preload can put your domain into browser preload lists so HTTPS is used before the first visit. It should be used carefully.

Can HSTS break a website?

Yes, if HTTPS is misconfigured or subdomains are not ready.

Can I disable HSTS immediately?

You can send a shorter or zero max-age, but browsers that already cached a long policy may keep it until it expires. Preload removal can take longer.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.