Tech News
← Back to articles

HTTP Strict Transport Security (HSTS)

2025-12-29 | original
read original related products more articles

If you have a group of employees or users who can beta test the deployment, consider trying the first few ramp-up stages on those users. Then make sure to go through all stages for all users, starting over from the beginning.

If your site is committed to HTTPS and you want browsers to enforce that your page is loaded only over HTTPS, we suggest the following steps to enable HSTS:

A site that enables HSTS helps protect its users from the following attacks done by an on-path attacker:

When a web browser enforces a domain's HSTS policy, it will upgrade all http:// URLs for that domain to HTTPS. If the policy also sets includeSubDomains , it will do this for all subdomains as well.

HTTP Strict Transport Security (HSTS) is a mechanism for websites to instruct web browsers that the site should only be accessed over HTTPS. This mechanism works by sites sending a Strict-Transport-Security HTTP response header containing the site's policy.

Preloading HSTS Since sites tell the browser that they support HSTS when the browser visits, the browser cannot know a site's HSTS policy before the user has visited the site for the first time. As a result, the browser can not require HTTPS until after the first time it has connected to the site, possibly leaving the user unprotected. After this first load, the web browser has the site's HSTS policy and is able to require HTTPS for all subsequent loads. To account for this first-load problem, Chrome maintains a list of domains that have a strong HSTS policy and are HTTPS only. This HSTS preload list is built into Chrome. Requests to these domains will only be made over HTTPS; any HTTP requests will be upgraded to HTTPS and fail to connect if HTTPS is unavailable. Other major browsers (Firefox, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. Many browsers (Chrome, Safari) will automatically upgrade all HTTP navigations to HTTPS, regardless of the domain's HSTS policy. HSTS preloading only provides value when these upgrades fail in the presence of an active attacker. The benefits provided by HSTS preloading are minimal compared to the benefits provided by HSTS. While HSTS is recommended, HSTS preloading is not recommended.

Submission Requirements If a site sends the preload directive in an HSTS header, it is considered to be requesting inclusion in the preload list and may be submitted via the form on this site. In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements: Serve a valid certificate. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80. Serve all subdomains over HTTPS. In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.

subdomain if a DNS record for that subdomain exists. Note: HSTS preloading applies to all subdomains, including internal subdomains that are not publicly accessible. Serve an HSTS header on the base domain for HTTPS requests: The max-age must be at least 31536000 seconds (1 year).

must be at least seconds (1 year). The includeSubDomains directive must be specified.

directive must be specified. The preload directive must be specified.

... continue reading

Related:
Zoom Stealer browser extensions harvest corporate meeting intelligence
Mummies give up their secrets — but not their mystery
Can boomerangs bounce?
I've tried nearly every browser out there and these are my top 4 (spoiler: none are Chrome)
Claude Code creator says Claude wrote all his code for the last month

© 2025 GoKawiil