Headers
HSTS: the security header that locks HTTPS on for good.
Published 2026-06-10 · Last updated 2026-06-10 · Vantyris editorial
HSTS (HTTP Strict-Transport-Security) is a header your site sends to every visitor telling their browser 'always use HTTPS for this domain, never HTTP'. Without it, a visitor on a hostile Wi-Fi network can be downgraded to HTTP for the first request and quietly attacked. Enabling HSTS takes 30 minutes and closes the only remaining gap in your HTTPS setup.
What this means for your business
- Without HSTS, every visit to your site starts with a brief HTTP request (when the visitor types your domain or follows an old link) that then redirects to HTTPS. That brief window is enough for an attacker on the same network to intercept and serve a fake HTTPS page.
- HSTS removes the window. Once a visitor has loaded your site once with HSTS, their browser caches the directive and refuses to use HTTP for your domain for as long as the `max-age` says.
- The trade-off: HSTS is sticky. If you publish a year-long HSTS policy and then your HTTPS breaks for some reason, visitors who've already seen your site cannot reach it at all until the cache expires. That's why you start with a short `max-age`.
How to fix
Add `Strict-Transport-Security: max-age=86400` for a day, confirm nothing breaks, then increase to `max-age=31536000; includeSubDomains; preload`.
- Start small (1 day). At your web host or CDN, add the header `Strict-Transport-Security: max-age=86400` to every response. 86400 is one day in seconds. If anything breaks, the impact clears in 24 hours.
- Watch for a week, then go to one week. If nothing broke, raise `max-age` to 604800 (one week). Confirm again.
- Go to one year + includeSubDomains. Final state: `max-age=31536000; includeSubDomains`. This protects your domain AND every subdomain. Only add `includeSubDomains` if you're certain every subdomain serves HTTPS.
- (Optional) Apply for HSTS preload. Add `; preload` to the directive and submit your domain at hstspreload.org. Once approved, your domain ships built into every major browser's HSTS list — visitors are protected even on their very first visit. This is hard to undo, so be sure first.
Owner: Your web host or developer. · Time: 30 minutes for the initial setup; 2 weeks of progressive rollout to reach the final value.
Common gotchas
- Do NOT jump straight to a one-year max-age. If your HTTPS setup has a bug, you've just told every visitor's browser to refuse HTTP fallback for a year. Start small.
- `includeSubDomains` is opt-in for a reason. If a subdomain (e.g., a legacy mail server or staging site) serves HTTP only, that subdomain becomes unreachable from any browser that's seen your main domain. Audit subdomains first.
- Removing HSTS once it's been served is hard. The browser remembers. You can publish `max-age=0` to clear it, but only visitors who hit your site after that change will see it. Be careful before opting in.
How to verify the fix
Open Chrome DevTools → Network → click any request to your domain → check Response Headers for `strict-transport-security`. Or run a Vantyris scan, which reports the HSTS directive's max-age and flags weak values.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
What's a 'good' max-age?
Industry standard for production sites is one year (31536000 seconds). HSTS preload requires at least one year + includeSubDomains + preload.
Does HSTS work for subdomains?
Only if you include `includeSubDomains` in the directive. Otherwise it applies only to the exact host that served it.
What's HSTS preload?
A list maintained by Chromium, Firefox, and Safari of domains that ship with HSTS pre-applied. Your domain is HSTS-protected even on a visitor's first ever visit. Submit at hstspreload.org.
References
Related explainers
- HTTPS for small business: how to enable it in 15 minutes.
- Content Security Policy: the header that stops most XSS attacks dead.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0