Expressvpn Glossary
HTTP Strict Transport Security (HSTS)
What is HTTP Strict Transport Security?
HTTP Strict Transport Security (HSTS) is a web security policy that ensures a browser connects to a website using HTTPS only, rather than unsecured HTTP.
Defined in Request for Comments (RFC) 6797, HSTS instructs the browser to treat a site as HTTPS-only for a specified duration, helping prevent access to insecure versions of the site.
How does HTTP Strict Transport Security work?
HSTS works by instructing the browser through an HTTP response header, which is a small piece of metadata included in the server’s reply to a request. This header must be delivered over a valid HTTPS connection. The process works like this:
- The website sends a Strict-Transport-Security header over HTTPS.
- The browser stores the policy.
- Future HTTP requests to the site are automatically upgraded to HTTPS.
- The policy remains active for a specified period set by the server.

In short, once the HSTS policy is stored, the browser no longer attempts to access the website over HTTP. Instead, it upgrades requests to HTTPS.
The duration of this policy is controlled by the max-age directive within the header, which defines how many seconds the browser should remember the rule. A value of 0 removes the policy.
Why is HTTP Strict Transport Security important?
HSTS is important because it helps enforce secure connections after a browser has already established trust with a website.
This reduces the risk of downgrade attacks, such as Secure Sockets Layer (SSL) stripping, where an attacker tries to keep a connection on HTTP instead of HTTPS. It also reduces man-in-the-middle (MITM) attack risk by protecting traffic on untrusted networks after the initial connection.
However, HSTS doesn’t protect the very first connection to a website. This limitation is known as Trust On First Use (TOFU). If an attacker intercepts that initial request before the browser has seen the HSTS header, they can prevent the protection from being applied.
Where is HTTP Strict Transport Security used?
HSTS is commonly used on websites and web applications where secure communication matters. Examples include:
- Banking and financial websites.
- Login and account portals.
- E-commerce checkout pages.
- Enterprise web applications.
- Security-focused online services.
These environments often handle passwords, payment information, customer records, or business data, making encrypted connections especially important. HSTS is typically part of a broader HTTPS-first security strategy rather than a standalone protection.
Risks and privacy concerns
Although HSTS improves security, it needs to be configured carefully. If a website’s HTTPS setup is incomplete or incorrect, HSTS can cause access problems. For example:
- Misconfiguration can break site access: Incorrect HSTS settings can make a site or subdomains inaccessible.
- HSTS can enable browser fingerprinting: Persistent HSTS settings can be abused to track users across sessions.
- Subdomain enforcement requires planning: Enabling HSTS for subdomains means all subdomains must support HTTPS, or they may become inaccessible.
Further reading
- What is a man-in-the-middle (MITM) attack and why is it dangerous?
- HTTP vs. HTTPS: How to choose the secure option for your site
- What is TLS encryption, and how does it protect your data?