Explain
HSTS (Strict-Transport-Security)
HSTS forces browsers to use HTTPS for your domain, preventing downgrade attacks and reducing SSL-stripping risk.
InfoCategory: headers
What it is
HSTS tells browsers: “only use HTTPS for this site for the next N seconds.” Once a browser sees HSTS, it will automatically upgrade future HTTP attempts to HTTPS.
Why it matters
- Reduces the chance of SSL stripping / downgrade attacks.
- Helps enforce HTTPS usage on repeat visits.
- Signals strong security posture to scanners and auditors.
What to look for
- max-age should be reasonably high (e.g., 15552000 = 180 days or 31536000 = 1 year).
- includeSubDomains only if all subdomains are HTTPS-ready.
- preload only if you're ready to commit to HTTPS permanently.
Related guides