Skip to main content

HTTP Strict Transport Security (HSTS)

PropertyValue
descriptionHTTP Strict Transport Security (HSTS)
tagsref

Overview

HTTP Strict Transport Security, or HSTS, is a web security policy that tells browsers to use HTTPS only for a site for a defined period.

It matters because HSTS reduces downgrade risk and helps ensure browsers do not keep retrying insecure HTTP for hosts that should be HTTPS-only.

What HSTS Does

HSTS is delivered as an HTTP response header over a valid https connection.

Once the browser accepts it, the browser will:

  • remember that the host should use HTTPS
  • refuse ordinary HTTP for the configured duration
  • optionally apply the rule to subdomains

That makes HSTS a browser-side policy memory, not just a server-side preference.

Why HSTS Matters

HSTS matters because redirecting HTTP to HTTPS is not always enough on its own.

Without HSTS, a user may still begin with insecure HTTP and rely on a redirect.

That leaves room for downgrade or interception scenarios that HSTS is specifically meant to reduce.

HSTS vs HTTPS

https secures the connection itself.

HSTS tells the browser to insist on HTTPS for future visits.

That distinction matters because a secure site can exist without HSTS, but it is missing an extra layer of transport-enforcement protection.

HSTS Preload Relevance

Some domains also pursue HSTS preload inclusion.

That means the browser can know the site is HTTPS-only even before the first visit, as long as the preload requirements are met.

Preload can be useful, but it also increases the need for careful domain and subdomain planning.

Practical Caveats

HSTS is powerful, but misconfiguration can be painful.

  • Applying includeSubDomains affects every subdomain.
  • Long max-age values are hard to unwind quickly.
  • HSTS should not be enabled casually on domains that still need plain HTTP anywhere.
  • Preload submission raises the stakes even further.

This is why HSTS is a security feature that also needs operational discipline.

Frequently Asked Questions

Does HSTS replace HTTPS certificates?

No. HSTS depends on working https, not the other way around.

Is HSTS only for big public websites?

No. It is relevant anywhere a site is meant to be HTTPS-only.

Can HSTS break a site?

Yes, if it is applied without understanding subdomains, certificates, or long-lived policy effects.

Resources