What Is HSTS?

HTTP Strict Transport Security tells supporting browsers to use HTTPS for a site after seeing a valid HSTS header. It helps reduce downgrade risk, but it should be enabled only after HTTPS is ready for the intended hostnames.

• HSTS helps browsers avoid returning to HTTP after the first valid HTTPS visit.
• includeSubDomains can affect every subdomain, including legacy and vendor-managed hosts.
• Preload is a long-lived browser-list commitment and should be treated as an operational decision.

• Checks HTTPS responses for the Strict-Transport-Security header.
• Reports max-age, includeSubDomains, and preload directives when present.
• Flags missing HSTS on sites that otherwise appear intended for HTTPS-only operation.
• This check does not replace manual inventory of every subdomain before includeSubDomains or preload decisions.

• Strict-Transport-Security missing from HTTPS responses.
• max-age set too low for the team intent.
• includeSubDomains enabled before all subdomains support HTTPS.
• HSTS sent inconsistently across app routes or edge locations.
• Preload directive added without a rollback plan.

• Confirm HTTPS works for the canonical hostname and important aliases.
• Start with a conservative max-age and increase after observing stable behavior.
• Use includeSubDomains only after validating subdomain readiness.
• Treat preload as a separate launch decision, not a default header option.
• Set HSTS at the edge or reverse proxy when that layer reliably handles HTTPS.