What is HSTS and why is it important?
HSTS, or HTTP Strict Transport Security, is a response header that tells browsers to only ever connect to a site over HTTPS. Once a browser sees the header, it refuses to load the site over plain HTTP for the duration of the max-age value, even if the user types the URL with http://. This eliminates an entire class of downgrade and SSL stripping attacks that target the first connection.
What does the max-age value mean?
max-age is the number of seconds the browser should remember the HSTS policy. A common production value is 31536000, which is one year. Shorter values are useful while testing because mistakes can be reverted faster. Once you are confident in HTTPS coverage, raise the value, add includeSubDomains, and finally add the preload directive to be eligible for the browser preload list.
What is the HSTS preload list?
The preload list is a hardcoded set of HSTS-protected domains shipped inside Chrome, Firefox, Safari, and Edge. Domains on the list get HSTS protection on the very first visit, before any header is seen. To qualify, you must serve a valid certificate, redirect HTTP to HTTPS, include all subdomains, and submit the domain at hstspreload.org. Removal can take months, so preload only after thorough testing.
What other security headers should I check?
Beyond HSTS, modern sites should send Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Resource-Policy. Each closes a specific class of attacks like XSS, MIME sniffing, and cross-origin data leaks. The checker reports all of them, plus HTTP/2 and HTTP/3 support, so you can see at a glance how the site stacks up against current best practices.
Can HSTS lock me out of my own site?
Only if you set a long max-age and then lose your HTTPS configuration. Browsers will refuse plain HTTP, leaving users unable to reach the site until they wait out the policy or clear it manually. To avoid this, use a short max-age while testing, deploy includeSubDomains only after verifying every subdomain has a valid certificate, and keep certificate renewal automated and monitored.
Does HSTS work for subdomains automatically?
Only if you include the includeSubDomains directive. Without it, the policy applies only to the exact host that sent the header. Adding includeSubDomains is powerful but requires every subdomain, including legacy ones you might have forgotten, to support HTTPS. Audit your full DNS zone before enabling it, because once browsers cache the directive there is no per-subdomain exception.
