HTTP Strict Transport Security (HSTS) explained
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS. Once seen, the browser refuses plain-HTTP connections to your domain for the duration of the policy.
What it is
HSTS is delivered via the Strict-Transport-Security header, e.g. max-age=31536000; includeSubDomains; preload. max-age is how long (in seconds) the browser remembers the rule.
After the first HTTPS visit, the browser upgrades every future request to HTTPS automatically — the user can't accidentally hit the insecure version, and an attacker can't strip the connection back to HTTP.
Why it matters
Without HSTS, the first request a user makes (typing yourdomain.com) goes over plain HTTP and can be intercepted before your redirect to HTTPS ever happens — a classic SSL-stripping attack.
A weak HSTS policy undercuts the protection: a short max-age shrinks the enforcement window, and omitting includeSubDomains leaves every subdomain exposed to downgrade.
How to fix it
Use a long max-age (one year), cover subdomains, and opt into preloading.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadOnly add includeSubDomains and preload after every subdomain serves valid HTTPS — otherwise you can lock users out of subdomains that aren't ready.
Once your header includes 'preload', submit your domain at hstspreload.org so browsers enforce HTTPS even on the very first visit.
FAQ
What max-age should I use?
At least 15552000 (6 months); 31536000 (1 year) is the common recommendation and required for the preload list.
Can HSTS lock me out of my own site?
Only if you later need to serve over HTTP or have a subdomain without HTTPS. Test thoroughly before enabling includeSubDomains or preload.
Is your app affected?
AppSafe checks for this and dozens of other issues in one free scan.
Scan my app free