SiteAlertAI SiteAlertAI
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
← All guides

What Is HSTS and How Do I Enable It?

HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS, even if a user types http:// or clicks an old link. It closes the small window an attacker could use to downgrade a connection.

Why HSTS matters

Without HSTS, the very first request a browser makes can go over plain HTTP before any redirect fires. On a hostile network that first request can be intercepted. HSTS removes that window by making the browser rewrite every request to HTTPS for a set period.

How to enable it

Send the Strict-Transport-Security header, for example: max-age=63072000; includeSubDomains; preload. The max-age is in seconds (two years is common). Add includeSubDomains only once every subdomain genuinely serves HTTPS, or you will lock out any that do not.

The preload list

Browsers ship a built-in list of domains that are HTTPS-only from the very first visit. Submitting to it requires a valid two-year max-age, includeSubDomains, and the preload token. Removal is slow, so only preload when you are confident every subdomain supports HTTPS.

🛰 Check your HSTS header →

Related guides

  • Content-Security-Policy Explained (and How to Fix a Weak One)
  • Mixed Content: Why Your HTTPS Padlock Breaks
  • CAA Records: Control Which CAs Can Issue Your Certificates
SiteAlertAI · © 2026 All rights reserved · Built for security professionals and developers.
Blog Guides Privacy Terms About Contact Social

⚠ For authorised security testing only. Scanning domains you do not own may violate laws in your jurisdiction. SiteAlertAI accepts no liability for misuse. CVE data is indicative — verify with NVD.