Enable HSTS

What this check does

Inspects the HTTP response headers for Strict-Transport-Security (HSTS). The directive tells every browser to refuse plain-HTTP connections to your domain for the duration of max-age.

Why it matters

Even with HTTPS enabled, the very first request a new visitor makes is usually plaintext — they type yourdomain.com and the browser tries HTTP. That first request is a window for downgrade attacks (sslstrip-style man-in-the-middle on hostile Wi-Fi).

HSTS slams that window shut. Once a browser has seen a valid HSTS header, it auto-rewrites every future request to HTTPS for the entire max-age, ignoring user-typed http:// URLs.

How to fix it

Send the header on every HTTPS response. A safe production value:

Strict-Transport-Security: max-age=31536000; includeSubDomains

nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Cloudflare: SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → enable, set max-age to 12 months, enable Include subdomains.

Once you’re confident, add ; preload and submit to the Chrome preload list — see the HSTS preload page for the prerequisites.

Frequently asked questions

What max-age should I use?

Start with max-age=300 (5 minutes) while testing, then escalate to 31536000 (one year). HSTS preload requires at least one year.

Does HSTS lock me out if HTTPS breaks?

Yes — that’s the point. If your cert expires or your TLS config breaks, users who previously visited your site cannot reach it over HTTP as a fallback. Renew certs reliably (Let’s Encrypt + systemd timer) and monitor expiry.

What if I don’t have control over subdomains?

Drop includeSubDomains. The check still passes with just max-age set, though you lose protection for *.yourdomain.com. You cannot preload without includeSubDomains.