HSTS enabled
HTTP Strict Transport Security (HSTS) tells browsers to only access your site over HTTPS, preventing protocol downgrade attacks and cookie hijacking.
Why It Matters
Without HSTS, attackers can intercept the initial HTTP request before it redirects to HTTPS, enabling man-in-the-middle attacks. HSTS ensures browsers never make insecure requests to your domain.
How We Check
We verify the presence of the Strict-Transport-Security header and check for proper max-age value (minimum 1 year recommended), includeSubDomains directive, and preload eligibility.
How to Fix
Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Start with a short max-age and gradually increase it. Consider submitting to the HSTS preload list.
Frequently Asked Questions
What is HSTS (HTTP Strict Transport Security)?
HSTS is an HTTP response header (`Strict-Transport-Security`) that instructs browsers to always connect to your site over HTTPS — never HTTP — for a specified period (max-age). Once a browser receives this header, it will refuse to connect via HTTP even if a user types 'http://' in the address bar.
What max-age value should I use for HSTS?
Use at least `max-age=31536000` (1 year) for production sites. Start with `max-age=300` (5 minutes) while testing to avoid locking yourself out if HTTPS breaks. Increase gradually: 5 min → 1 hour → 1 day → 1 week → 1 year. For HSTS preload list eligibility, 1 year is the minimum.
What is HSTS preloading and should I use it?
HSTS preloading hardcodes your domain into browsers' built-in lists (Chrome, Firefox, Safari, Edge) so HTTPS is enforced from the very first visit — before any header is received. To qualify, set `max-age=31536000; includeSubDomains; preload` and submit at hstspreload.org. Warning: preloading is difficult to reverse — ensure all subdomains support HTTPS before submitting.
Should I use includeSubDomains in my HSTS header?
Use `includeSubDomains` only if all your subdomains support HTTPS. It extends HSTS protection to every subdomain, preventing attacks where an insecure subdomain is used to set cookies for the parent domain. If any subdomain doesn't have a valid HTTPS certificate, users won't be able to access it.
Does having an HTTPS redirect replace HSTS?
No. An HTTP→HTTPS redirect only protects users on their second visit onward if they remember to use HTTPS. The first HTTP request is still sent unencrypted and can be intercepted (SSL stripping). HSTS tells the browser to never send that first HTTP request at all.
Related Security Checks
Related Tool
SSL Checker
Run all 10 related checks with our free ssl checker
Check Your Website Now
Run a free security scan to check for HSTS enabled issues and 62+ other security vulnerabilities.
Scan Your Website Free