What HSTS Protects Against

HSTS eliminates three critical HTTPS vulnerabilities:

SSL Stripping

Prevents downgrade to HTTP

Cookie Hijacking

Ensures cookies only sent over HTTPS

Man-in-the-Middle

Blocks invalid certificate attacks

HSTS Directive Options

max-age

Duration in seconds (31536000 = 1 year)

includeSubDomains

Applies to all subdomains

preload

Inclusion in browser preload lists

Step-by-Step Implementation

  1. Ensure full HTTPS site functionality
  2. Start with short max-age (e.g., 300 seconds)
  3. Test all subdomains work with HTTPS
  4. Gradually increase max-age
  5. Submit to HSTS Preload List if applicable

HSTS Preload List Submission

1. Requirements

  • Valid SSL certificate
  • Redirect all HTTP → HTTPS
  • Base domain serves HTTPS

2. Submission

Submit via hstspreload.org

3. Approval

Takes several weeks for browser inclusion

Ready to implement HSTS?

Use our HSTS configuration generator for your specific server setup.

Generate HSTS Configuration