Learn

HSTS: how to enable Strict-Transport-Security safely

HSTS is how you tell the browser to never speak HTTP to your domain again. Get max-age, includeSubDomains, and preload right, and downgrade attacks stop being your problem.

What it is

HSTS (HTTP Strict Transport Security) is an HTTP response header that tells the browser to use only HTTPS when connecting to your site for a set period. After the first secure visit, the browser will refuse to connect via HTTP, which blocks downgrade attacks and reduces the risk of cookie hijacking on the first request.

Why it matters

Without HSTS, the first visit or any request after the header expires can be sent over HTTP and intercepted. HSTS ensures that once a browser has seen the header, it will use HTTPS only. It is a simple way to enforce encryption and is often required or recommended by compliance and security scans.

How Barrion checks it

Barrion requests your site and inspects the Strict-Transport-Security response header. We check for presence, max-age, and optional includeSubDomains and preload. We report when the header is missing or misconfigured. Passive check only.

Configuration examples

Nginx: HSTS with preload
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
Apache: HSTS with preload
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Verify it

curl -sI https://example.com | grep -i strict-transport-security
Run this check →Fix guide

References

Related

FAQ

Common questions.

How long should max-age be?
Two years (63072000 seconds) is the value most major sites use and the minimum the preload list requires. Anything shorter than six months leaves users unprotected after a single inactive period, and shorter values exist mostly as a staging step while you confirm HTTPS works everywhere.
What does includeSubDomains actually do?
It extends the HTTPS-only rule to every subdomain of the host that served the header, including ones that did not exist when the browser cached the policy. Skip it only if you still have a legacy subdomain that needs HTTP, and plan to retire that subdomain before enabling preload.
How do I get on the preload list safely?
Serve HSTS with max-age at least 31536000, includeSubDomains, and the preload token on the apex domain over HTTPS for at least a few weeks, confirm every subdomain (including www and any wildcard) resolves over HTTPS, then submit at hstspreload.org. Removal can take months, so treat submission as a one-way door.
Does HSTS protect the very first visit?
No. The browser only honors HSTS after it sees the header at least once over HTTPS, so the initial request can still be hijacked. Preloading closes that gap because the browser ships with your domain already on the list.