Transport Layer Security keeps getting more critical as attacks grow more sophisticated. But even with HTTPS enabled, websites remain vulnerable to protocol downgrade attacks and cookie hijacking. That's where HTTP Strict Transport Security comes in.
HSTS is a security policy mechanism that forces browsers to interact with servers exclusively through HTTPS connections. When properly configured, it prevents attackers from intercepting communications by downgrading secure connections to plain HTTP. The technology has become a cornerstone of modern web security architecture.
At its core, HSTS works through a simple HTTP response header that tells browsers: "Hey, only talk to me using HTTPS from now on." Once a browser receives this instruction, it automatically upgrades all future HTTP requests to HTTPS without making any insecure connections first. This happens before any data gets transmitted, closing a significant security gap.
The mechanism sounds straightforward. And in many ways, it is. But the devil lives in the implementation details, configuration choices, and understanding exactly what protection HSTS provides (and what it doesn't).
Table of contents
- How HSTS actually works
- The Strict-Transport-Security header explained
- HSTS directives and their functions
- Trust on first use problem
- HSTS preload lists
- Security benefits of HSTS
- HSTS limitations and attack vectors
- Implementation best practices
- Browser support and compatibility
- HSTS in practice
- Common implementation mistakes
- Testing your HSTS configuration
- Monitoring SSL certificates and HTTPS security
How HSTS actually works
When a server sends an HSTS policy to a browser, it's making a declaration about how that browser should behave for all future connections. The browser stores this policy in a persistent list tied to the domain name. Not IP addresses. Domain names only.
The policy includes an expiration time. Every time the browser receives a new HSTS header from that domain, it updates the expiration by adding the specified duration to the current time. This creates a rolling window of protection that extends as long as the user keeps visiting the site.
Before loading any HTTP URL, the browser checks its HSTS host list. If the domain matches (case-insensitive), the browser immediately converts the URL scheme from http to https. Port 80 gets changed to 443. Other explicit port numbers remain unchanged but still use HTTPS for the connection.
This upgrade happens before making any network request. No HTTP connection gets established. No opportunity exists for a man-in-the-middle attacker to intercept the initial request and redirect the user to a malicious server.
But there's more. When connecting to an HSTS host, if any TLS error occurs (expired certificate, invalid certificate, self-signed certificate), the browser refuses to display a "click through" option. Users cannot bypass the security warning. The connection simply fails.
This hard failure represents a deliberate design choice. Certificate warnings exist because certificates can be compromised, expired, or misconfigured. Allowing users to bypass these warnings defeats the purpose of strict security.
The Strict-Transport-Security header explained
The header syntax looks like this:
Servers must send this header over HTTPS connections only. Browsers ignore the header if received over plain HTTP. This prevents attackers from injecting false HSTS policies during man-in-the-middle attacks on insecure connections.
The header name itself causes some confusion. It's called Strict-Transport-Security (with hyphens), not HTTP-Strict-Transport-Security. The original specification changed names when it transitioned from "STS" to "HSTS" during the standardization process, but the header field name stayed as Strict-Transport-Security.
HSTS directives and their functions
Three directives control HSTS behavior:
max-age (required): Specifies the duration in seconds that the browser should remember the HSTS policy. Common values include:
- 31536000 (1 year)
- 63072000 (2 years)
- 0 (disables HSTS)
Setting max-age=0 over a secure HTTPS connection tells the browser to immediately remove the domain from its HSTS list. This represents the only way to disable HSTS for a domain. You cannot disable it over HTTP by design.
includeSubDomains (optional): Instructs the browser to apply the HSTS policy to all subdomains of the current domain. If example.com sends this directive, it covers api.example.com, www.example.com, staging.dev.example.com, and all other subdomains at any level.
This directive requires careful consideration. One subdomain without proper HTTPS support can break functionality for users after they receive an HSTS policy with includeSubDomains.
preload (optional, non-standard): Indicates the domain wants inclusion in browser HSTS preload lists. Requires max-age of at least 31536000 (1 year) and includeSubDomains must be present.
The preload directive doesn't actually do anything in browsers. It serves as a signal to the preload list submission service that the domain operator understands the requirements and consequences of preloading.
Trust on first use problem
HSTS has a chicken-and-egg problem. The browser only knows to use HTTPS after it has received the HSTS header. But it can only receive the header after making at least one connection to the server.
Here's how the vulnerability manifests:
- User visits
http://bank.example.comfor the first time - Browser has no HSTS policy stored for bank.example.com
- Connection uses plain HTTP
- Attacker intercepts the connection at a coffee shop Wi-Fi
- Attacker serves fake content or steals credentials
Only after the user successfully connects once over HTTPS and receives the HSTS header does protection kick in. That first connection remains vulnerable.
This "trust on first use" (TOFU) problem affects many security mechanisms. The solution? Preloading.
HSTS preload lists
Major browsers maintain hardcoded lists of domains that require HTTPS. These lists get compiled into the browser at build time. When a user types bank.example.com into their address bar, the browser already knows it should use HTTPS, even if they've never visited the site before.
Google maintains the canonical HSTS preload list at hstspreload.org. Chrome, Firefox, Safari, Edge, and Opera all use this list. Submitting your domain requires meeting specific criteria:
| Requirement | Details |
|---|---|
| Valid certificate | Must have a trusted SSL/TLS certificate |
| Redirect from HTTP | All HTTP traffic must redirect to HTTPS |
| Serve HSTS header | Must include max-age >= 31536000 |
| Include subdomains | Must specify includeSubDomains directive |
| Include preload | Must specify preload directive |
Getting on the preload list is easy. Getting off? That takes months. Browsers update their preload lists periodically, but users don't update their browsers instantly. A domain might remain in outdated browser versions for years after removal from the current list.
This creates a serious commitment. Before submitting, verify that:
- Every subdomain supports HTTPS
- Internal applications don't rely on HTTP
- Legacy systems have been migrated or retired
- Development environments use HTTPS
One forgotten staging server without HTTPS support can break access for engineers using updated browsers.
Security benefits of HSTS
The primary security improvement comes from eliminating SSL stripping attacks. Moxie Marlinspike demonstrated these attacks at BlackHat Federal in 2009 with his sslstrip tool. The attack works by:
- User requests
http://bank.example.com - Attacker intercepts the request
- Attacker connects to
https://bank.example.com - Server redirects to HTTPS
- Attacker strips the redirect and serves HTTP to the user
- User sees
http://bank.example.comin address bar - All traffic flows through attacker
HSTS breaks this attack chain. Once the browser has an HSTS policy, it never makes that initial HTTP request. The upgrade happens client-side before any network activity occurs.
Cookie hijacking also becomes harder. Tools like Firesheep made stealing session cookies trivial over unsecured networks. If cookies get set over HTTP, attackers can intercept them even if the main site uses HTTPS. HSTS ensures cookies for the domain only travel over encrypted connections.
Protocol downgrade attacks fail too. Attackers cannot force browsers to use older, vulnerable SSL versions when HSTS is active. The browser connects using the strongest available TLS version or fails completely.
HSTS limitations and attack vectors
HSTS doesn't solve everything. Several attack vectors remain:
DNS attacks: HSTS identifies hosts by domain name. An attacker who controls DNS resolution can redirect users to a different IP address. If the attacker presents a valid certificate for a similar-looking domain (examp1e.com instead of example.com), HSTS provides no protection. The browser sees a different domain not covered by the HSTS policy.
Time-based attacks: HSTS policies expire. If an attacker can manipulate system time using false NTP packets or other mechanisms, they might be able to make the browser think the HSTS policy has expired. This attack requires significant sophistication but remains theoretically possible.
First visit vulnerability: Without preloading, that first connection stays vulnerable. An attacker only needs to compromise one initial visit to steal credentials or plant malware.
Server compromise: If attackers gain control of the origin server, HSTS provides no protection. They can serve whatever content they want over valid HTTPS connections. HSTS prevents interception, not server-side breaches.
Certificate authority compromise: If a CA gets compromised and issues fraudulent certificates, HSTS alone won't detect this. HTTP Public Key Pinning (HPKP) was designed to address this but has been deprecated due to implementation complexity and risk.
Supercookie tracking: Researchers discovered that HSTS can be abused for tracking. By registering multiple domains and selectively setting HSTS policies, attackers can create a unique fingerprint that persists across browser restarts and private browsing modes. Browsers have implemented mitigations, but the technique demonstrates unintended consequences.
Implementation best practices
Getting HSTS right requires attention to several details:
Start with short max-age values: Test your configuration with max-age=300 (5 minutes) initially. This allows quick recovery if something breaks. Gradually increase to longer durations as confidence grows.
Use includeSubDomains carefully: Audit all subdomains first. One forgotten HTTP-only application can break functionality for users. Consider using a separate domain for services that cannot support HTTPS rather than subdomain.
Set cookies with Secure flag: HSTS prevents transmission over HTTP, but explicitly marking cookies as Secure adds defense in depth. The cookie won't even be included in HTTP requests should something go wrong.
Redirect HTTP to HTTPS: Servers should respond to HTTP requests with a 301 redirect to the HTTPS version. The redirect response should NOT include the HSTS header (it would be ignored anyway), but the subsequent HTTPS response should include it.
Apply HSTS at the apex domain: If www.example.com sends an HSTS policy with includeSubDomains, it doesn't protect example.com itself. The apex domain should also send HSTS headers. Better yet, send the header from both and use includeSubDomains on the apex.
Monitor for subdomains: As organizations grow, new subdomains appear. Implement monitoring to detect new subdomains and verify HTTPS support before they cause problems with HSTS policies.
Browser support and compatibility
All modern browsers support HSTS:
| Browser | Version | Notes |
|---|---|---|
| Chrome | 4.0.211.0+ | First implementation, maintains preload list |
| Firefox | 4+ | Integrated preload list in version 17 |
| Safari | 7+ | Support added in OS X Mavericks (2013) |
| Edge | All versions | Full support including preload list |
| Internet Explorer | 11 | Windows 8.1 and Windows 7 with KB3058515 |
| Opera | 12+ | Switched to Chromium base in version 15 |
Mobile browsers inherit support from their underlying engines. iOS Safari, Chrome on Android, and Samsung Internet all support HSTS.
Legacy browsers simply ignore the header. The website continues to function normally, just without the added security. This graceful degradation makes HSTS safe to deploy even when supporting older browsers.
HSTS in practice
Real-world HSTS deployment involves more than adding a header. Here's what a complete implementation looks like:
Step 1: Ensure HTTPS works everywhere
Before enabling HSTS, verify that every page, resource, and API endpoint works correctly over HTTPS. Check:
- Main website pages
- API endpoints
- Image and asset URLs
- Third-party integrations
- Subdomain applications
- Mobile app API connections
Step 2: Fix mixed content warnings
Browsers block or warn about mixed content (HTTP resources loaded from HTTPS pages). Audit all hardcoded URLs in:
- HTML templates
- CSS stylesheets
- JavaScript files
- Database content
- User-generated content
Use protocol-relative URLs (//example.com /image.jpg) or HTTPS absolute URLs.
Step 3: Test with short max-age
Deploy with max-age=300 and monitor for issues. Check error logs for:
- Failed certificate validations
- Connection timeouts
- Mixed content blocks
- Subdomain access problems
Step 4: Increase max-age gradually
After 24 hours without issues, increase to max-age=86400 (1 day). Then weekly increments: 7 days, 30 days, 90 days, finally 1 or 2 years.
Step 5: Add includeSubDomains
Once confident in the main domain, add includeSubDomains with a short max-age. Test all subdomain functionality.
Step 6: Consider preloading
Submit to the HSTS preload list only after running with max-age=31536000; includeSubDomains for several weeks without issues.
Common implementation mistakes
Several pitfalls catch developers off guard:
Setting HSTS over HTTP: Browsers ignore the header completely. This mistake provides a false sense of security while offering no actual protection.
Forgetting about subdomains: Adding includeSubDomains without checking every subdomain breaks access to HTTP-only applications. Always audit first.
Using too long max-age immediately: Starting with 2 years makes it difficult to recover from configuration errors. Users might be locked out for months.
Not handling API clients: Mobile apps and API clients might not handle HSTS correctly if they use custom HTTP libraries. Test thoroughly.
Assuming HSTS prevents all attacks: HSTS specifically addresses protocol downgrade attacks. It doesn't prevent phishing, XSS, CSRF, or server-side vulnerabilities.
Neglecting certificate expiration: HSTS makes certificate errors fatal. Users cannot bypass expired certificates. Certificate expiration monitoring becomes critical, not just best practice.
Testing your HSTS configuration
Verify your HSTS implementation using these methods:
Check headers directly:
Should return something like:
Use online tools:
- securityheaders.com analyzes header configuration
- hstspreload.org checks preload eligibility
- ssllabs.com/ssltest includes HSTS in its analysis
Inspect browser storage:
Chrome users can view HSTS policies at chrome://net- internals/#hsts. Enter a domain to query or delete its HSTS policy for testing.
Firefox stores HSTS policies in SiteSecurityServiceState.txt in the profile directory.
Test the upgrade behavior:
- Clear browser HSTS data for your domain
- Visit the HTTPS version to receive the HSTS header
- Try to visit the HTTP version
- Browser should automatically upgrade to HTTPS without making an HTTP request
Verify error handling:
- Configure a test domain with HSTS
- Intentionally use an invalid certificate
- Confirm the browser shows a hard error with no bypass option
Monitoring SSL certificates and HTTPS security
HSTS makes certificate management more critical. When certificates expire or become invalid, users cannot access your site at all. No "proceed anyway" option exists.
Robust monitoring should track:
- Certificate expiration dates (alert 30 days before expiry minimum)
- Certificate chain validity
- TLS protocol versions
- Cipher suite configurations
- HSTS header presence and configuration
- Mixed content issues
Automated renewal systems like Let's Encrypt help, but monitoring remains vital. Renewal processes can fail due to DNS issues, rate limits, or configuration errors.
Odown provides specialized monitoring for these scenarios. The platform continuously checks SSL certificate validity, expiration dates, and proper HTTPS configuration. When issues arise, Odown sends immediate alerts through multiple channels, giving teams time to resolve problems before they impact users. The service also monitors website and API uptime, ensuring your HSTS-protected services remain accessible. Public status pages keep users informed during incidents, while SSL certificate monitoring prevents the catastrophic access failures that HSTS can cause when certificates expire unexpectedly.
