How to Enable HSTS (HTTP Strict Transport Security)

What is this?

HSTS tells browsers to always connect to your site over HTTPS, even if a user types http://. Once a browser sees the HSTS header, it will refuse to connect over plain HTTP for the specified duration.

Why it matters

Security: Prevents SSL-stripping attacks where an attacker downgrades HTTPS to HTTP
Performance: Eliminates the HTTP-to-HTTPS redirect on repeat visits
Compliance: Required by many security frameworks including PCI DSS

How to fix it

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Caddy

Caddy enables HSTS automatically. To customize:

header Strict-Transport-Security "max-age=31536000; includeSubDomains"

Node.js / Express

const helmet = require('helmet');
app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true
}));

Common mistakes

Setting max-age too short (e.g. 300 seconds). Use at least 31536000 (1 year) for production.
Adding includeSubDomains when subdomains do not support HTTPS. Test all subdomains first.
Enabling HSTS before your HTTPS setup is stable. HSTS is difficult to undo once browsers cache the policy.

Test your fix

After enabling HSTS, audit your site on BeaverCheck to verify the header in the Security tab.

How to Enable HSTS (HTTP Strict Transport Security)

How to Enable HSTS (HTTP Strict Transport Security)

What is this?

Why it matters

How to fix it

Nginx

Apache

Caddy

Node.js / Express

Common mistakes

Test your fix

Related Guides