HSTS Test
What is it?
Strict-Transport-Security is an HTTP response header that instructs browsers to access a site only over HTTPS. Once a browser receives the header, it automatically upgrades all future requests for the domain to HTTPS and refuses to fall back to HTTP for the duration of the policy. This test checks whether your server sends the Strict-Transport-Security header on its responses, closing the small but real window of vulnerability that exists before a plain HTTP request gets redirected to HTTPS.
Why HSTS matters
HTTPS plus a redirect from HTTP is good, but it is not airtight. The first request a user ever makes to your site might still go over HTTP before being redirected, and that initial request can be intercepted by an attacker on a hostile network. HSTS closes this gap: once a browser has seen the HSTS header, it never tries HTTP again, eliminating the window of vulnerability.
HSTS is particularly important for sites handling authentication, payments, or any sensitive data, where a single intercepted request could compromise a user's account. It is also a baseline expectation in many security audits and compliance frameworks. The cost is one HTTP header per response, and the security improvement closes a real attack window for users on hostile networks.
Common HSTS configuration concerns
- Header not sent, which leaves the protection un-deployed.
- Short max-age below a few months, which provides little protection. Bump to a year (31536000) once HTTPS is stable.
includeSubDomainsdirective enabled prematurely, which breaks subdomains that lack HTTPS. Only add this directive after every subdomain serves HTTPS.- HSTS not paired with HTTP-to-HTTPS redirects: HSTS only kicks in after a successful HTTPS visit, so redirects still do the work for first-time visitors.
This test verifies that your server sends the HSTS header on HTTPS responses. The fix guide below covers configuring the header in the major web servers and CDNs, the recommended ramp from short to long max-age, and the considerations around the preload directive that ships your site with HSTS baked into browsers.
Pass rate:
-
Top 100 websites: 84%This value indicates the percent of top 100 most visited websites in the US that pass this test (in the past 12 months).
-
All websites: 34%This value indicates the percent of all websites analyzed in SEO Site Checkup (500,000+) in the past 12 months.
| 2021 | N/A |
|---|---|
| 2022 | 85% |
| 2023 | 82% |
| 2024 | 84% |
100
75
50
25
0
How do I fix it?
The Strict-Transport-Security (HSTS) response header tells browsers to access the site only over HTTPS, automatically upgrading future requests and refusing to fall back to HTTP. Fixing this issue means configuring the server to send the header on every HTTPS response.
Example
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadWhere to make the change
- Server configuration: add the header in Nginx (
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;), Apache (Header always set Strict-Transport-Security ...), or your application's response middleware. - CDN: Cloudflare, Fastly, and CloudFront let you set HSTS at the edge so it applies regardless of origin configuration.
- Cloud platforms: Netlify and Vercel allow HSTS via headers files (
_headerson Netlify,vercel.jsonon Vercel).
Common causes and how to resolve them
- Header not sent: add it in the server or CDN config. Confirm in DevTools, Network tab.
- Header sent only on HTTP responses: HSTS is only honored over HTTPS, so the header must accompany the HTTPS response.
- Short max-age: a max-age below a few months provides little protection. Bump to a year (31536000) once you are confident HTTPS is stable.
includeSubDomainsbreaking subdomains that lack HTTPS: only add this directive after every subdomain serves HTTPS. Otherwise users will lose access to the HTTP-only ones.
Best practices
- Start with a short max-age, then ramp up: a one-week max-age lets you back out quickly if something breaks. Increase to a year once stable.
- Add
preloadafter testing: submit your domain to hstspreload.org so browsers ship with HSTS for your site baked in. Note that removing a preloaded site is slow. - Pair with HTTP-to-HTTPS redirects: HSTS only kicks in after a successful HTTPS visit. Until then, redirects do the work.
