Skip to main content
Vantyris

Headers

HSTS: the security header that locks HTTPS on for good.

Published 2026-06-10 · Last updated 2026-06-10 · Vantyris editorial

HSTS (HTTP Strict-Transport-Security) is a header your site sends to every visitor telling their browser 'always use HTTPS for this domain, never HTTP'. Without it, a visitor on a hostile Wi-Fi network can be downgraded to HTTP for the first request and quietly attacked. Enabling HSTS takes 30 minutes and closes the only remaining gap in your HTTPS setup.

What this means for your business

How to fix

Add `Strict-Transport-Security: max-age=86400` for a day, confirm nothing breaks, then increase to `max-age=31536000; includeSubDomains; preload`.

  1. Start small (1 day). At your web host or CDN, add the header `Strict-Transport-Security: max-age=86400` to every response. 86400 is one day in seconds. If anything breaks, the impact clears in 24 hours.
  2. Watch for a week, then go to one week. If nothing broke, raise `max-age` to 604800 (one week). Confirm again.
  3. Go to one year + includeSubDomains. Final state: `max-age=31536000; includeSubDomains`. This protects your domain AND every subdomain. Only add `includeSubDomains` if you're certain every subdomain serves HTTPS.
  4. (Optional) Apply for HSTS preload. Add `; preload` to the directive and submit your domain at hstspreload.org. Once approved, your domain ships built into every major browser's HSTS list — visitors are protected even on their very first visit. This is hard to undo, so be sure first.

Owner: Your web host or developer. · Time: 30 minutes for the initial setup; 2 weeks of progressive rollout to reach the final value.

Common gotchas

How to verify the fix

Open Chrome DevTools → Network → click any request to your domain → check Response Headers for `strict-transport-security`. Or run a Vantyris scan, which reports the HSTS directive's max-age and flags weak values.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

What's a 'good' max-age?

Industry standard for production sites is one year (31536000 seconds). HSTS preload requires at least one year + includeSubDomains + preload.

Does HSTS work for subdomains?

Only if you include `includeSubDomains` in the directive. Otherwise it applies only to the exact host that served it.

What's HSTS preload?

A list maintained by Chromium, Firefox, and Safari of domains that ship with HSTS pre-applied. Your domain is HSTS-protected even on a visitor's first ever visit. Submit at hstspreload.org.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0