HSTS (HTTP Strict Transport Security) setup for website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
HSTS (HTTP Strict Transport Security) setup for website
Simple
~2-3 hours
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

HSTS (HTTP Strict Transport Security) Setup for Websites

HSTS — mechanism where browser remembers site is available only via HTTPS and no longer tries HTTP connection. Single header in server configuration eliminates entire class of SSL stripping attacks.

How It Works

Server returns header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

After first visit browser caches this directive for 365 days. All subsequent requests to domain and subdomains automatically redirect to HTTPS before sending to network — without 301 redirect, without round-trip to server.

Nginx Setup

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Rest of configuration...
}

always parameter is critical — without it header won't be sent on error responses (4xx, 5xx).

Apache Setup

<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

mod_headers module must be enabled: a2enmod headers.

Gradual Rollout

Sharp HSTS activation with max-age=31536000 on production site — risky. If later SSL certificate doesn't cover some subdomain, users can't access it for months.

Recommended Order:

  1. Verify all subdomains work via HTTPS
  2. Configure automatic certificate renewal (Let's Encrypt + Certbot or similar)
  3. Set max-age=300 (5 minutes), test for a week
  4. Increase to max-age=2592000 (30 days)
  5. Set max-age=31536000; includeSubDomains
  6. Submit application to HSTS Preload List

HSTS Preload List

Application submitted to hstspreload.org. After inclusion browsers Chrome, Firefox, Safari know about your HSTS requirement before first user visit. Removing domain from list — long process (several months), so only domains with stable HTTPS infrastructure are included.

Preload Requirements:

  • max-age at least 31536000
  • includeSubDomains directive
  • preload directive
  • All subdomains must support HTTPS

Implementation Timeline

Basic header setup — 1–2 hours including testing. Full cycle to preload status — 2–4 weeks including gradual max-age increase.