TL;DR
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for your site. Even if someone types http:// or clicks an HTTP link, the browser automatically upgrades to HTTPS. This prevents attackers from intercepting traffic by forcing HTTP connections. Enable it with a simple header after confirming your HTTPS works.
The Simple Explanation
Without HSTS, an attacker on the same network (like public WiFi) can intercept your first HTTP request before it redirects to HTTPS. With HSTS, the browser remembers "this site is HTTPS only" and never attempts HTTP, closing that window of vulnerability.
The HSTS Header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Header Options
- max-age: How long (in seconds) browsers should remember. 31536000 = 1 year.
- includeSubDomains: Apply HSTS to all subdomains too
- preload: Request inclusion in browser preload lists
How to Enable HSTS
Vercel (vercel.json)
{ "headers": { "source": "/(.*)", "headers": [ { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" } ] } }
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Test first! Start with a short max-age (300 seconds) to ensure HTTPS works correctly. If HTTPS breaks with a long max-age, users cannot access your site until it expires.
HSTS Preloading
For maximum protection, submit your domain to the HSTS preload list at hstspreload.org. Browsers will use HTTPS even on the very first visit. Requirements:
- Valid HTTPS certificate
- Redirect HTTP to HTTPS
- HSTS header with max-age at least 1 year
- includeSubDomains directive
- preload directive
What attacks does HSTS prevent?
HSTS prevents SSL stripping attacks where an attacker downgrades your connection from HTTPS to HTTP to intercept traffic. It also prevents cookie hijacking on insecure networks. Once a browser sees the HSTS header, it refuses to connect over HTTP even if tricked.
What is HSTS preloading?
HSTS preloading adds your domain to a list built into browsers. This means browsers will use HTTPS for your site even on the first visit, before seeing your HSTS header. Submit your site at hstspreload.org after enabling HSTS with includeSubDomains.
Can HSTS cause problems if my HTTPS breaks?
Yes. If your SSL certificate expires or HTTPS breaks, visitors cannot access your site at all because browsers refuse HTTP. Start with a short max-age (like 300 seconds) to test, then increase once you confirm HTTPS works reliably. Preloading is permanent, so only do it when certain.