Skip to main content
Vantyris

TLS

Short HSTS max-age: what it really means, and how to extend it safely.

Published 2026-05-25 · Last updated 2026-05-25 · Vantyris editorial

If your TLS report flags HSTS with a short max-age, that does not mean your site is leaking traffic. HSTS (HTTP Strict Transport Security) tells browsers to stay on HTTPS for your domain for a set duration. A short duration narrows that protection window, but the actual risk depends on whether the rest of your TLS posture is healthy. This article explains when a short HSTS is a real problem, when it's a hardening backlog item, and the exact change to make at Cloudflare / Nginx / Apache.

What this means for your business

How to fix

Raise the max-age to at least six months in stages. Start at six months, watch for two weeks for any subdomain breakage, then push to one or two years. Add `includeSubDomains` only after confirming every subdomain serves HTTPS. Add `preload` and submit to hstspreload.org only after the long max-age has been stable for a couple of weeks.

  1. If you're behind Cloudflare. Cloudflare dashboard → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS). Enable HSTS. Max Age: choose 6 months to start, raise to 12 months after 1-2 weeks. Include subdomains: only check this when every subdomain serves HTTPS (catch: an old `dev.yoursite.example` that still does plain HTTP will break). Preload: only check after validation, then submit your domain at https://hstspreload.org.
  2. If you run Nginx directly. Add inside your server block (or in a shared snippet): ``` add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; ``` The `always` directive ensures the header is sent on error responses too (some Nginx configurations silently drop headers on 4xx / 5xx without it). After 1-2 weeks, increase to `max-age=63072000; includeSubDomains; preload` and submit.
  3. If you run Apache directly. Add in your virtual host or `.htaccess`: ``` Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" ``` Same staging plan: hold for 1-2 weeks, then bump to `max-age=63072000; includeSubDomains; preload`.
  4. Submit to the preload list (optional but recommended). Visit https://hstspreload.org. Enter your domain. The form checks: HTTPS works on the apex and `www`, the cert is valid, HTTP redirects to HTTPS (not HTTPS-then-HTTP), HSTS max-age ≥ 63072000 (two years), `includeSubDomains` and `preload` directives are present. If all pass, submit. It takes 4-12 weeks for the domain to land in browser builds.

Owner: Your web host or developer. · Time: Cloudflare: 5 minutes per stage. Nginx / Apache: 10 minutes per stage. The 'preload' submission round-trip is weeks, not minutes.

Common gotchas

How to verify the fix

After deploying the new header, hit your site with `curl -sI https://yoursite | grep -i strict-transport-security` and confirm the new max-age value is shown. Then open Chrome's `chrome://net-internals/#hsts`, enter your domain, click 'Query', and confirm `static_sts_observed` shows your new max-age. Run a Vantyris scan to confirm the `headers.hsts_ok` healthy signal fires.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Is HSTS the same as redirecting HTTP to HTTPS?

No, but both matter. The HTTP-to-HTTPS redirect happens once per session, server-side. HSTS happens browser-side and persists across sessions — without HSTS, an attacker can intercept the very first request of a session before any redirect fires. Run both.

Why does Vantyris not flag short HSTS as a critical High?

Because in practice, on a well-configured site (working HTTPS, valid cert, no mixed content, HTTP-to-HTTPS redirect), the actual attack window is very small — an attacker needs to be on the path during a returning visitor's first request. Calling that a critical High alongside actual data-loss findings (exposed .env files, REST users exposed) made the report's urgency ordering unreliable. Medium / Low with a clear fix is the honest call.

Should every domain be on the preload list?

Most modern marketing and SaaS sites should aim for it. Domains that need to serve plain HTTP on subdomains for legitimate reasons (legacy IoT firmware update endpoints, captive portal redirects) should not preload. When in doubt, ship the long max-age but skip the submission until you're certain.

What if I'm using Vercel / Netlify / Cloudflare Pages?

All three set HSTS by default at modern values. If your scan still shows a short HSTS on one of those platforms, check whether you have a custom Page Rule (Cloudflare) or a `next.config.js` headers override that's downgrading it.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0