Deutsch Deutsch English English

HSTS

What is HSTS?

HTTP Strict Transport Defense (HSTS) is a security mechanism that helps websites enforce secure HTTPS connections. HSTS prevents browsers from establishing insecure HTTP connections to a website, even if the user explicitly enters HTTP in the URL.

How HSTS Works

HSTS works through a special HTTP Transport Header sent from the server to the User Agent. This header tells the browser that all future connections to this domain should exclusively use HTTPS.

HSTS Header Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS Directives in Detail

max-age

The max-age directive defines how long the browser should store the HSTS policy. The value is specified in seconds.

Recommended Values:

  • Minimum: 1 year (31,536,000 seconds)
  • Optimal: 2 years (63,072,000 seconds)
  • Maximum: 2 years (browser limit)

includeSubDomains

This directive extends the HSTS policy to all Sub-sections of the current domain.

Example:

  • Domain: example.com
  • With includeSubDomains: Applies to www.example.com, api.example.com, blog.example.com
  • Without includeSubDomains: Only applies to example.com

preload

The preload directive enables inclusion in the HSTS Preload List of browsers, ensuring security from the first visit.

SEO Benefits of HSTS

1. Security Ranking Signal

Google considers HTTPS as a ranking factor. HSTS strengthens this signal additionally, as it demonstrates a higher level of security.

2. Prevents Mixed Content

HSTS automatically prevents Mixed Content issues that can lead to SEO disadvantages.

3. Improved Core Web Vitals

Through forced HTTPS usage, potential performance issues from HTTP redirects are eliminated.

4. Trustworthiness

Visitors and search engines trust websites with HSTS more, which positively impacts user experience and thus SEO.

HSTS Implementation

1. Server Configuration

Apache (.htaccess):

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

IIS (web.config):

2. HSTS Preload List

Steps for Inclusion:

  1. Website must fully support HTTPS
  2. Implement HSTS header with preload directive
  3. Register at hstspreload.org
  4. Wait for browser updates (can take several months)

HSTS Testing and Validation

Browser Tools

  • Chrome DevTools: Security tab shows HSTS status
  • Firefox Developer Tools: Security tab with HSTS information
  • Online Tools: SSL Labs SSL Test, HSTS Preload Checker

Test Commands

# Check HSTS header
curl -I https://example.com | grep -i strict-transport

# Check HSTS Preload status
curl -s https://hstspreload.org/api/v2/status?domain=example.com

Common HSTS Problems

1. Incorrect Implementation

Problem: HSTS header set on HTTP pages

Solution: Implement HSTS only on HTTPS pages

2. Too Short max-age

Problem: max-age=0 or very short values

Solution: At least 1 year (31,536,000 seconds)

3. Missing includeSubDomains

Problem: Subdomains not covered

Solution: Add includeSubDomains directive

4. Preload Without Preparation

Problem: Domain in Preload List without complete HTTPS coverage

Solution: First complete HTTPS implementation, then preload

HSTS Monitoring

1. Header Monitoring

Regular checking whether HSTS headers are sent correctly.

2. Preload Status

Monitoring preload status in different browsers.

3. Mixed Content Detection

Automatic detection of Mixed Content problems.

Best Practices for HSTS

1. Step-by-Step Implementation

  1. Phase 1: HSTS without includeSubDomains and preload
  2. Phase 2: Add includeSubDomains
  3. Phase 3: Add preload directive
  4. Phase 4: Register with Preload List

2. Backup Strategies

  • HSTS Removal Plan: Preparation for emergencies
  • Certificate Management: Automatic certificate renewal
  • Monitoring: Continuous monitoring of HTTPS availability

3. Documentation

  • HSTS Policy: Internal documentation of HSTS configuration
  • Rollback Plan: Procedures for HSTS deactivation
  • Team Training: Knowledge transfer to all stakeholders

HSTS vs. Other Security Measures

Security Measure
Protection Against
SEO Benefit
Implementation
HSTS
Protocol Downgrade, Man-in-the-Middle
High
Easy
HTTPS Redirect
HTTP Access
Medium
Easy
Mixed Content Prevention
Insecure Resources
Medium
Medium
Security Headers
Various Attacks
Low
Complex

HSTS and Different Website Types

E-Commerce Websites

Special Requirements:

  • Highest security standards required
  • PCI-DSS compliance to consider
  • Payment provider integration to check

Corporate Websites

Recommendations:

  • HSTS for all subdomains
  • Preload List registration
  • Comprehensive documentation

Blog/Content Websites

Minimum Requirements:

  • Basic HSTS implementation
  • Regular monitoring
  • Simple rollback strategy

Future of HSTS

HTTP/3 Integration

HSTS will remain relevant in HTTP/3 environments and continue to evolve.

Browser Evolution

New browser features will extend and improve HSTS functionalities.

Automation

Increasing automation of HSTS implementation and monitoring.

Related Topics

Last Update: 07. October 2025