Your immunity is strong.

How to Enable HTTP Strict Transport Security (HSTS)

Learn How to Implement HTTP Strict Transport Security aka HSTS
Learn How to Implement HTTP Strict Transport Security aka HSTS

What is HTTP Strict Transport Security (HSTS)?

How to implement HSTS?

How to enable HSTS?

How to implement HTTP Strict Transport Security (HSTS) in Apache?

How to implement HTTP Strict Transport Security (HSTS) in Nginx?

How to enable HTTP Strict Transport Security (HSTS) using htaccess?

If you are looking for answers to above questions then you have come to the right place.

Congrats and pat you back.

You did an excellent job. Keep it up!

You are a wonderful human being.

Now lets get back to our article on HTTP Strict Transport Security (HSTS).

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a response header which ensures that visitors always connect to your site over secure HTTPS protocol even if it is not specified.

It works like a 301 redirect, but at the browser level. This is what makes it very fast.

HSTS header tells the browser to connect the current domain only over HTTPS.

This makes HSTS far better than 301 redirects, which are unsecure during their first visit.

Which Browsers Support HTTP Strict Transport Security (HSTS)?

Currently all web browsers support HTTP Strict Transport Security (HSTS) including but not limited to Brave, Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari, and Opera.

Benefits of HTTP Strict Transport Security (HSTS)

  • Helps prevent man-in-the-middle attacks and cookie hijacking.
  • Helps avoid mixed content issue.
  • Does not allow a user to override the invalid certificate warnings.
  • Can be preloaded via browsers by listing your domain with them.
  • To avoids insecure redirects from HTTP to HTTPS.
  • Also improves WordPress blog speed by eliminating a redirect.

How to Enable HTTP Strict Transport Security (HSTS) using htaccess

# Enable HTTP Strict Transport Security (HSTS)
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

The “max-age” flag specifies the time in seconds this policy is cached in the browser.

The “includeSubDomains” flag instructs browsers to apply this policy to all sub domains as well.

The “preload” flag indicates that the site wants to be added to the HSTS preload list.

“env=HTTPS” ensures that HSTS is only enabled on secure [https] version and not on unsecure [http] version of your site.

How to Enable HTTP Strict Transport Security (HSTS) in Nginx

# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;

Example of HTTP Strict Transport Security (HSTS)

Want to see HSTS in action?

Just type kunaldesai.blog in your browser.

And you will land on secure version of my blog.

HSTS Preload Service

If you want your site to be preloaded then you can submit your site to the HSTS Preload service.

Before submitting your site make sure to meet the eligibility criteria.

Your site needs to have a valid certificate, should redirect from HTTP to HTTPS, serve all subdomains over HTTPS and include an HSTS header on the base domain.

If you site meets the above criteria then and only then submit your site.

One important suggestion that I like to share is that you should ramp up the max-age gradually over a period of time when you implement for the first time.

Have you enabled HSTS on your site? If no, do it now.

Scroll to Top