WIN FIFA World Cup™ tickets! Raffle closes in:

WIN FIFA World Cup 2026™ tickets! Enter now

Sign up now
Wc2026 Mobile

Expressvpn Glossary

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS)

What is HTTP Strict Transport Security?

HTTP Strict Transport Security (HSTS) is a web security policy that ensures a browser connects to a website using HTTPS only, rather than unsecured HTTP.

Defined in Request for Comments (RFC) 6797, HSTS instructs the browser to treat a site as HTTPS-only for a specified duration, helping prevent access to insecure versions of the site.

How does HTTP Strict Transport Security work?

HSTS works by instructing the browser through an HTTP response header, which is a small piece of metadata included in the server’s reply to a request. This header must be delivered over a valid HTTPS connection. The process works like this:

  1. The website sends a Strict-Transport-Security header over HTTPS.
  2. The browser stores the policy.
  3. Future HTTP requests to the site are automatically upgraded to HTTPS.
  4. The policy remains active for a specified period set by the server.

An overview of how HSTS tells browsers to automatically upgrade future website visits to HTTPS.

In short, once the HSTS policy is stored, the browser no longer attempts to access the website over HTTP. Instead, it upgrades requests to HTTPS.

The duration of this policy is controlled by the max-age directive within the header, which defines how many seconds the browser should remember the rule. A value of 0 removes the policy.

Why is HTTP Strict Transport Security important?

HSTS is important because it helps enforce secure connections after a browser has already established trust with a website.

This reduces the risk of downgrade attacks, such as Secure Sockets Layer (SSL) stripping, where an attacker tries to keep a connection on HTTP instead of HTTPS. It also reduces man-in-the-middle (MITM) attack risk by protecting traffic on untrusted networks after the initial connection.

However, HSTS doesn’t protect the very first connection to a website. This limitation is known as Trust On First Use (TOFU). If an attacker intercepts that initial request before the browser has seen the HSTS header, they can prevent the protection from being applied.

Where is HTTP Strict Transport Security used?

HSTS is commonly used on websites and web applications where secure communication matters. Examples include:

  • Banking and financial websites.
  • Login and account portals.
  • E-commerce checkout pages.
  • Enterprise web applications.
  • Security-focused online services.

These environments often handle passwords, payment information, customer records, or business data, making encrypted connections especially important. HSTS is typically part of a broader HTTPS-first security strategy rather than a standalone protection.

Risks and privacy concerns

Although HSTS improves security, it needs to be configured carefully. If a website’s HTTPS setup is incomplete or incorrect, HSTS can cause access problems. For example:

  • Misconfiguration can break site access: Incorrect HSTS settings can make a site or subdomains inaccessible.
  • HSTS can enable browser fingerprinting: Persistent HSTS settings can be abused to track users across sessions.
  • Subdomain enforcement requires planning: Enabling HSTS for subdomains means all subdomains must support HTTPS, or they may become inaccessible.

Further reading

FAQ

What does HSTS protect against?

HTTP Strict Transport Security (HSTS) helps protect against protocol downgrade attacks, Secure Sockets Layer (SSL) stripping, and some man-in-the-middle (MITM) attacks by forcing browsers to use HTTPS instead of HTTP.

Does HSTS force every visit to use HTTPS?

Yes. Once a browser stores an HTTP Strict Transport Security (HSTS) policy for a website, future visits are automatically upgraded to HTTPS for the length of that policy.

What is the HSTS preload list?

The HTTP Strict Transport Security (HSTS) preload list is a list built into browsers that marks certain websites as HTTPS-only from the very first visit, even before the browser has seen an HSTS header from that site.

Can HSTS cause website access problems?

Yes. If a website has HTTPS or certificate configuration issues, HTTP Strict Transport Security (HSTS) can prevent access until those issues are corrected.

Is HSTS the same as HTTPS?

No. HTTPS is the encrypted protocol used to secure website traffic, while HTTP Strict Transport Security (HSTS) is the policy that tells browsers to always use HTTPS for a specific site.
Get Started