Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

HSTS

HTTP Strict Transport Security, a security header that forces browsers to use HTTPS connections exclusively for a domain.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism delivered through an HTTP response header that instructs browsers to only communicate with a domain using HTTPS. Once a browser receives the HSTS header, it automatically converts any HTTP requests to that domain into HTTPS requests for the specified duration, preventing protocol downgrade attacks and cookie hijacking.

How It Works

When a server sends the header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload, it tells the browser three things. First, for the next 31,536,000 seconds (one year), never make an unencrypted HTTP connection to this domain. Second, apply this rule to all subdomains as well. Third, the domain consents to being added to the browser's built-in HSTS preload list.

Without HSTS, a user who types example.com into their browser bar typically makes an initial HTTP request that gets redirected to HTTPS. During that brief HTTP request, an attacker on the same network can intercept the traffic, strip the HTTPS redirect, and serve a plaintext version of the site (a SSL stripping attack). HSTS eliminates this window because the browser never makes the HTTP request in the first place.

The preload list is a hardcoded list of HSTS domains built into browsers. Domains on this list enforce HTTPS from the very first visit, before any headers are received. Without preloading, the first visit to a domain is still vulnerable because the browser has not yet seen the HSTS header. Submitting a domain for preload inclusion requires setting max-age to at least one year and including the includeSubDomains and preload directives.

Why It Matters

Missing or misconfigured HSTS is a common finding in security assessments. Without it, users on public networks are vulnerable to man-in-the-middle attacks that downgrade connections to HTTP. Even sites that redirect HTTP to HTTPS are vulnerable during the redirect window.

HSTS should be implemented on every production web application serving over HTTPS. The configuration should use a long max-age, include subdomains to prevent attacks through subdomain takeover, and ideally be preloaded to protect first-time visitors.

Need your application tested? Get in touch.

Related terms

EncryptionHTTP HeadersHTTPS

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment