What is HSTS?
HSTS is like a contract with web browsers that says "always use secure connections to my domain." Once enabled, browsers will automatically use HTTPS even if someone clicks an HTTP link to your site.
Why It Matters
Without HSTS protection, your domain visitors are vulnerable to:
Attackers intercepting and modifying web traffic
Connection downgrades from secure HTTPS to insecure HTTP
Theft of sensitive data like passwords and session cookies
Man-in-the-middle attacks where attackers can read and modify traffic
Security Checks
We monitor these aspects of your HSTS configuration:
Is an HSTS header present for the domain?
HTTP Strict Transport Security (HSTS) tells browsers to only connect to the domain using secure HTTPS connections. Without this header, browsers may attempt to use insecure HTTP connections, making the site vulnerable to downgrade attacks.
Is the HSTS max-age value properly formatted?
The domain's HSTS policy has a missing or incorrectly formatted max-age value. This prevents browsers from knowing how long they should enforce HTTPS-only connections to the domain.
Is the HSTS max-age period set to a secure duration?
The domain's HSTS policy expires in less than one year (31,536,000 seconds). Short expiration periods create more opportunities for attackers to intercept connections when policies need renewal.
Are subdomains included in the HSTS policy?
The domain's HSTS policy doesn't include the 'includeSubDomains' directive. This means subdomains can still accept insecure connections, potentially allowing attackers to intercept traffic.
Is the HSTS policy configured for preloading?
The domain's HSTS policy isn't set up for browser preloading. Without preloading, visitors are vulnerable to connection downgrade attacks during their first visit to the site, before the HSTS policy is received.
Industry Standards
HSTS is recommended by:
OWASP Security Standards
NIST Web Security Guidelines
Mozilla Web Security Guidelines
Google Web Security Requirements
UK NCSC Web Security Guidance