Header guide

Strict-Transport-Security

Strict-Transport-Security, often called HSTS, tells browsers to use HTTPS automatically after the first secure visit.

01

What HSTS Protects

HSTS helps prevent downgrade attacks where a browser is tricked into using plain HTTP.

Once the browser stores the policy, future visits go straight to HTTPS for the configured time.

02

Why It Matters

Users may type a domain without https://. HSTS helps the browser avoid the insecure version after the first valid visit.

It is especially important for login, checkout, account, and admin pages.

03

Recommended Value

A common production value is: max-age=31536000; includeSubDomains; preload.

Only use includeSubDomains and preload when every important subdomain is ready for HTTPS. Removing a preloaded domain can take time.

04

Examples

Start with a shorter max-age while testing, then increase it once HTTPS is stable.

Use includeSubDomains only when old subdomains and staging hosts also support HTTPS.

FAQ

Common questions

Can I use HSTS on HTTP?

No. Browsers only honor HSTS when it is sent over a valid HTTPS response.

What does max-age mean?

It is the number of seconds the browser should remember to force HTTPS for that host.

Should every site use preload?

No. Preload is powerful but harder to undo. Use it only when your entire domain is ready.

Does HSTS fix mixed content?

No. You still need to load scripts, images, fonts, and styles over HTTPS.

Can I remove HSTS quickly?

You can lower max-age, but browsers that already cached the old value may keep it until it expires.