Seoxpert.io
Get started
Glossary/HSTS
Glossary

What Is HSTS?

Definition

HSTS — HTTP Strict Transport Security — is a response header that instructs browsers to use HTTPS for every future request to the domain, even if the user types http:// or follows an http:// link.

It closes the window between an initial HTTP request and the server's 301 redirect to HTTPS — a window that attackers can exploit with an SSL-stripping man-in-the-middle attack. HSTS is defined in RFC 6797.

Syntax

The header is sent over HTTPS only — browsers ignore it over plain HTTP:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Three directives:

  • max-age — seconds the browser should enforce HTTPS. 31536000 (1 year) is the standard production value.
  • includeSubDomains — extends the rule to every subdomain of the current host. Only enable when every subdomain has HTTPS.
  • preload — signals intent to be added to the browser preload list.

The Preload List

The HSTS preload list — maintained at hstspreload.org and shipped inside Chrome, Firefox, Safari, and Edge — hard-codes domains that should always use HTTPS, even on the first-ever visit before any header has been received.

To be eligible, the site must serve a valid certificate on the apex and www, redirect HTTP to HTTPS, and send an HSTS header with max-age at least 31536000, includeSubDomains, and preload. Removal from the list is possible but takes weeks and requires waiting for the next browser release cycle.

Rollout Mistakes

Enabling includeSubDomains too early

includeSubDomains on example.com will enforce HTTPS on every subdomain — legacy.example.com, intranet.example.com, development hosts — even those with no HTTPS certificate. Affected subdomains become unreachable for users who have seen the header once.

Starting with a long max-age

If you ship max-age=31536000 and then discover a subdomain is broken, every user who has loaded any HSTS-protected page will continue to enforce HTTPS for a year. Roll out with a short max-age, verify, then increase.

Preloading before fully certain

Once on the preload list, removal requires browser releases to propagate. Preload only after HSTS has been stable at the full max-age for weeks and every host you care about has HTTPS.

How Seoxpert Checks HSTS

The security scanner checks the HSTS header on every host encountered during the crawl:

  • Header presence and max-age value
  • includeSubDomains directive
  • Preload eligibility based on the required combination
  • Pages served over HTTP without a redirect to HTTPS
  • Mixed-content resources loaded over HTTP on HTTPS pages

Related: security issue library → · most common security issues →

Frequently Asked Questions

Does HSTS affect SEO?

Indirectly. HTTPS itself is a minor Google ranking signal. HSTS reinforces the HTTPS boundary and is a quality signal that correlates with well-maintained sites — but it is not a direct ranking factor.

What is HSTS preloading?

A list of domains baked into major browsers that forces HTTPS on the first-ever visit, before any header has been seen. Managed at hstspreload.org. Easy to join, hard to leave.

Should I use includeSubDomains?

Only when every subdomain supports HTTPS. Enabling it on example.com breaks any subdomain still served over HTTP, with no way for the user to opt out.

How long should max-age be?

Start with 300 seconds, verify nothing breaks, raise to 86400 (1 day), then to 31536000 (1 year). The long value is required for preload list eligibility.

Is HSTS the same as HTTPS?

No. HTTPS is the encrypted protocol. HSTS is a policy header that tells the browser to only ever use HTTPS for your domain. HSTS is useless without HTTPS already being correctly configured.

Check your HSTS configuration with a free scan.