The problem it solves
You have a certificate. You redirect HTTP to HTTPS. So everything is encrypted, right?
Almost. When someone types your domain into the address bar, the browser often tries http:// first. Your server redirects it to https://, and all is well. But that first request went out in the clear, and on a hostile network that is exactly the moment an attacker can step in and quietly keep the visitor on the insecure version.
HSTS closes that gap. Once a browser has seen the header, it remembers the rule and upgrades the address to HTTPS itself, before anything leaves the machine. The insecure first hop disappears on every return visit.
What the header looks like
It is one header, sent on your HTTPS responses.
Strict-Transport-Security: max-age=31536000; includeSubDomainsHSTS is header-only. There is no meta tag version, so on platforms that will not let you set headers you simply cannot have it. It is also ignored over plain HTTP, which is deliberate: an attacker on an insecure connection must not be able to inject it.
The parts that bite
Two of the three settings are more dangerous than they look.
- →max-age is how many seconds browsers should remember the rule. The catch is that you cannot take it back quickly. If your certificate breaks, every visitor who has seen the header is locked out for the remainder of the time you set, with no way to click through the warning.
- →includeSubDomains extends the rule to every subdomain. If any of them is still on HTTP, an old blog, a staging box, a legacy tool, it breaks the moment you ship this. Inventory your subdomains first.
- →preload is not a switch you flip casually. It has its own section below.
Preload is a serious commitment
Preloading means your domain is baked into the browsers themselves, so HTTPS is enforced even for someone who has never visited you before. It is the strongest version, and it is the one to be most careful with.
To be accepted, hstspreload.org requires max-age of at least 31536000 (one year), plus includeSubDomains, plus preload in the header. It also requires a valid certificate, an HTTP to HTTPS redirect on the same host, and every subdomain served over HTTPS.
Here is the part people skip. Inclusion "cannot easily be undone", and removal "takes months to reach users with a Chrome update". This is not a setting. It is a decision about the next several months of your domain, including any subdomain you might want to spin up later.
Do not add preload because a scanner gave you points for it.
How to roll it out without breaking things
Order matters, and it is always the same order.
First get a working certificate. Then force HTTPS sitewide and clear up any mixed content. Only then add HSTS.
Start with a short max-age, something you would be comfortable being stuck with if it went wrong. Watch for a few days. If nothing breaks, raise it, then raise it again. Add includeSubDomains only once you are certain every subdomain is on HTTPS. Consider preload last, or not at all.
Want to know whether your site already sends it? Our free check will tell you in a few seconds.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to enable HSTS on your platform