What we check
We verify your site enforces HTTPS connections
We check if your site enforces HTTPS connections through HTTP Strict Transport Security (HSTS) headers. This header tells browsers to only access your site over HTTPS, never HTTP, even if the user types 'http://' or clicks an HTTP link.
Security Impact
Why HSTS headers are critical for security
Prevents downgrade attacks
HSTS forces browsers to use HTTPS, preventing attackers from downgrading connections to insecure HTTP to intercept or modify traffic.
Blocks man-in-the-middle attacks
By enforcing HTTPS at the browser level, HSTS prevents attackers from intercepting data or injecting malicious content through compromised networks.
Protects cookie security
HSTS ensures that cookies (including session tokens) are always transmitted over encrypted connections, preventing cookie hijacking attacks.
Eliminates mixed content risks
HSTS prevents mixed content vulnerabilities where HTTPS pages accidentally load HTTP resources that could be manipulated by attackers.
Implementation
How to implement HSTS
With Httpeace
Httpeace automatically checks if HSTS is enabled and properly configured:
- Add your domain to Httpeace
- We check for HSTS headers automatically every day
- Get instant alerts if HSTS is missing or misconfigured
- See recommended HSTS configuration in your dashboard
Without Httpeace
Manual HSTS implementation and monitoring requires server configuration and ongoing verification:
# Check if HSTS header is present curl -I https://yourdomain.com | grep -i strict-transport # Test with online tools # Visit: https://hstspreload.org/ # Visit: https://securityheaders.com/ # Check HSTS in Chrome # 1. Visit chrome://net-internals/#hsts # 2. Enter domain in "Query HSTS/PKP domain" # 3. Check if domain is in HSTS list # Verify max-age value curl -I https://yourdomain.com 2>&1 | \ grep -i strict-transport | \ sed 's/.*max-age=\([0-9]*\).*/\1/'
You'll need to:
- Configure HSTS in Nginx, Apache, Next.js, or Cloudflare (different syntax for each)
- Start with low max-age (300 seconds) for testing to avoid lockout
- Test every page to ensure entire site works on HTTPS before enabling HSTS
- Gradually increase max-age: 300 → 86400 → 2592000 → 31536000
- Verify includeSubDomains won't break any HTTP-only subdomains
- Decide if you want preload (requires hstspreload.org submission)
- Test in multiple browsers to verify header is sent correctly
- Monitor daily to ensure HSTS header remains configured
- Set up alerts if header is accidentally removed during deployments
- Document rollback procedure in case HSTS causes issues
- Remember: HSTS is cached by browsers - mistakes are hard to undo
HSTS configuration is tricky because mistakes can lock users out of your site. Testing must be thorough, and ongoing monitoring is critical to catch accidental removals.
FAQ
Frequently asked questions
What happens if I add HSTS headers incorrectly?
If you add HSTS headers while your site is not fully HTTPS (e.g., some pages only work on HTTP), those pages will become inaccessible. Always ensure your entire site works on HTTPS before enabling HSTS. Start with a low max-age value (like 300 seconds) for testing before increasing it.
How do I remove HSTS if I need to?
To remove HSTS, set max-age to 0 and wait for the previous max-age duration to expire. Browsers will cache the HSTS policy, so if you set max-age=31536000, it will take up to a year to fully clear unless users manually clear browser data. This is why starting with a lower max-age during testing is important.
Should I use includeSubDomains?
Only use includeSubDomains if ALL your subdomains support HTTPS. If any subdomain is HTTP-only, it will become inaccessible. Test thoroughly before enabling this option. For most sites with modern infrastructure, includeSubDomains is recommended for comprehensive security.
What is HSTS preloading?
HSTS preloading submits your domain to a list hardcoded into browsers (maintained at hstspreload.org). This provides maximum security by enforcing HTTPS even on the very first visit, before the browser has ever received an HSTS header. However, getting removed from the preload list is slow, so only enable this when you're confident your site will remain HTTPS permanently.
How does Httpeace check for HSTS headers?
Httpeace makes HTTPS requests to your domain and inspects the response headers for the Strict-Transport-Security header. We check that it's present, properly formatted, and has a reasonable max-age value. We alert you if the header is missing, malformed, or has a max-age below recommended values.
Related checks
Other checks in this category
SSL Certificate Expiry
Prevent browser warnings by monitoring certificate expiration dates.
Content Security Policy
Block XSS attacks and code injection with CSP headers.
SSL Certificate Validity
Ensure encrypted connections are trusted by validating certificate chains.
Subdomain Takeover
Prevent attackers from hijacking dangling subdomains.
Peace of mind for your domains.
Start monitoring today and prevent outages, hacks, and costly mistakes.