How to Add HSTS to Your Website

If your domain security scan shows HSTS is not configured, browsers visiting your site are not being forced to use HTTPS on every request. This guide explains how to add the Strict-Transport-Security header correctly.

What this finding means

HSTS (HTTP Strict Transport Security) is an HTTP response header that tells browsers to always use HTTPS when connecting to your domain — and to refuse HTTP connections entirely for a specified period. Without HSTS, even if your server redirects HTTP to HTTPS, a user's first request on a new connection could briefly be sent over plain HTTP before the redirect fires.

Why it matters

Prevents SSL stripping attacks where an attacker downgrades a connection from HTTPS to HTTP
Eliminates the window of vulnerability on the first HTTP request
Required for HSTS preloading — the browser-maintained list of sites that are always HTTPS
Improves user trust and is a scored security signal on most domain assessment tools

The correct HSTS header value

Start with a short max-age and increase it once you're confident HTTPS is working reliably across your entire domain.

Starting value (safe)

This tells browsers to use HTTPS for 24 hours:

Strict-Transport-Security: max-age=86400

Recommended value (once confirmed working)

This enforces HTTPS for one year across all subdomains:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Preload-ready value (optional)

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Before adding preload: HSTS preloading is difficult to reverse. Only add the preload directive when you are certain every subdomain on your domain serves HTTPS correctly. Once submitted to the preload list, removal takes months to propagate.

How to add the header — by platform

Cloudflare

Settings → SSL/TLS → Edge Certificates → HTTP Strict Transport Security → Enable. Set max-age to at least 6 months. Cloudflare adds the header automatically.

Nginx

Add to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache

Add to your .htaccess or VirtualHost config:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Vercel

Add to vercel.json:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Strict-Transport-Security",
          "value": "max-age=31536000; includeSubDomains"
        }
      ]
    }
  ]
}

Netlify

Add to netlify.toml:

[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains"

Verify it worked

Scan your domain at mydomainrisk.com — the HSTS finding will show the detected max-age value and whether includeSubDomains and preload are present.

Check your security headers

MyDomainRisk checks HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy and more — free.

Scan your domain free →