How to Enable HSTS (HTTP Strict Transport Security)

When you move your site to HTTPS, you’re already ahead of the game. But there’s one more lock you can snap shut: HSTS.

HSTS stands for HTTP Strict Transport Security. It tells browsers:

“Never talk to me over plain HTTP again. Always use HTTPS.”

That’s powerful because it protects users from SSL-stripping attacks, lazy typos (http:// links), and insecure redirects. Once enabled, browsers will refuse to load your site over HTTP.

But…

The catch with HSTS is that it isn’t something you can casually toggle on and off. Once a browser sees the HSTS header, it remembers the rule for as long as you specify in max-age. That means every future visit during that period will be forced over HTTPS, no exceptions. If even one of your subdomains isn’t properly configured for HTTPS, visitors will be completely blocked from reaching it—there’s no graceful fallback to HTTP.

For example, suppose you secure your main site but forget about mail.yoursite.com. The moment HSTS is active with includeSubDomains, anyone trying to reach the webmail panel will get an error screen with no way to bypass it.

And if you add the preload directive, your domain gets hard-coded into every major browser’s list, making the decision effectively permanent until you go through a lengthy removal process.

In short, enabling HSTS too early or without preparing all of your domain’s HTTPS endpoints can break real traffic, lock out users, and create headaches that are much harder to undo than to prevent.

Step 1: Confirm HTTPS is Bulletproof

Before flipping the HSTS switch, test:

• Every page on your main domain loads fine over https://.
• Subdomains (e.g., www, blog, shop) also work with HTTPS, or you don’t mind dropping them.
• No mixed-content errors (HTTP assets like images, CSS, or JS).

If you miss this step, HSTS will punish you with a flood of “site not available” errors.

Step 2: Add the HSTS Header

HSTS is just an HTTP response header. Add it at the web server, CDN, or proxy level.

Apache (.htaccess or vhost)

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

Nginx (server block)

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

LiteSpeed / OpenLiteSpeed

Same as Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Cloudflare (or similar CDN)

Go to SSL/TLS → Edge Certificates → HTTP Strict Transport Security. Toggle it on, pick a duration, and enable includeSubDomains if ready.

Step 3: Understand the Header Values

• max-age=31536000 → tells the browser to remember HTTPS for 1 year (value is in seconds).
• includeSubDomains → applies the rule to every subdomain too. Only enable if you’ve verified they’re all HTTPS-ready.
• preload (optional) → submits your site to Chrome’s HSTS preload list, baked into all major browsers. Once preloaded, users will never hit HTTP first — even on first visit.

⚠️ Warning: Preloading is permanent (until you go through a removal request, which is slow). Only add preload when 100% sure.

Example with preload:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Step 4: Test It

1. Use securityheaders.com or curl -I https://yoursite.com and check the response headers.
   You should see: Strict-Transport-Security: max-age=31536000; includeSubDomains
2. Visit your site with http:// — it should instantly flip to HTTPS without ever loading insecure content.
3. For preload, check hstspreload.org before submitting.

Step 5: CMS-Specific Notes

• Magento 2: HSTS options appear under Stores → Configuration → General → Web once you force secure URLs in both Storefront and Admin.
• WordPress / Joomla / PrestaShop: These don’t set HSTS automatically. You’ll need to add the header via .htaccess, your host’s panel, or a plugin/security module.
• Managed hosting: Some providers (e.g., Kinsta, WP Engine) let you toggle HSTS from the dashboard.

Step 6: Rollout Strategy (Play It Safe)

1. Start with a short max-age, like max-age=300 (5 minutes).
2. Test your site and subdomains.
3. Increase to a week, then a month, then a year.
4. Add includeSubDomains once you’re confident.
5. Finally, opt into preload if you want the strongest guarantee.

Why It Matters

Attackers still love SSL stripping (e.g., on public Wi-Fi). Without HSTS, a user can click an old http:// link and briefly leak data before the site redirects. With HSTS, the browser blocks that avenue completely.

Most major sites (Google, Facebook, PayPal) have been preloaded for years. If you’re serious about security, you should be too.

✅ Bottom line: HSTS is the final step after HTTPS. Get your certificate, redirect everything, clean up mixed content, then set the header with a sensible rollout. Don’t preload until you’re absolutely sure — but once you are, you’ve locked the door for good.