HSTS (HTTP Strict Transport Security) is a security header that tells browsers: "Only connect to this site over HTTPS. Never use HTTP." Once a browser sees this header, it won't even attempt an insecure connection — it automatically upgrades to HTTPS.

Why HSTS matters

Without HSTS, even if you have an SSL certificate, users can still be vulnerable:

SSL stripping attacks — An attacker on the same network intercepts the initial HTTP request before it redirects to HTTPS
Accidental HTTP links — Old bookmarks or links pointing to http:// still work without encryption
Mixed content — Some resources might load over HTTP without you noticing

HSTS eliminates these risks by making HTTPS mandatory at the browser level.

How to enable HSTS

Add this HTTP response header to your server configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Nginx

server {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Vercel (next.config.ts)

const nextConfig = {
  async headers() {
    return [{
      source: "/(.*)",
      headers: [{
        key: "Strict-Transport-Security",
        value: "max-age=31536000; includeSubDomains; preload",
      }],
    }];
  },
};

What the parameters mean

max-age=31536000 — Remember this policy for 1 year (in seconds)
includeSubDomains — Apply HSTS to all subdomains too
preload — Eligible for the HSTS preload list (built into browsers)

Check your HSTS header

PageGrader checks for the HSTS header as part of its 11 security checks. Scan your site to see if HSTS is configured correctly.