How to add a strong HSTS header
Tell browsers to only ever connect to your site over HTTPS, closing the gap before the redirect.
What it is
HTTP Strict Transport Security is a response header (`Strict-Transport-Security`) that tells browsers to force HTTPS for your domain for a set period.
Why it matters
Even with a redirect, the very first request of a session can go over http and be hijacked. HSTS removes that window — after one secure visit, the browser refuses http entirely.
How to fix it
- 1Add the header: `Strict-Transport-Security: max-age=31536000; includeSubDomains`.
- 2Use a max-age of at least 6 months (15552000); 1 year (31536000) is standard.
- 3Add `includeSubDomains` only once every subdomain is HTTPS-ready.
- 4Optionally add `preload` and submit to hstspreload.org to bake it into browsers.
- 5Re-scan to confirm a strong HSTS policy is present.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.