What Is HSTS (HTTP Strict Transport Security)?

Q: What is the HSTS preload list?

The HSTS preload list is a list of domains hardcoded into browsers that always require HTTPS. Once your domain is on the preload list, browsers will never make an insecure HTTP request to it — even on the very first visit. You can submit your domain at hstspreload.org.

Q: Can HSTS cause problems?

If you enable HSTS but your SSL certificate expires or becomes invalid, users will be completely unable to access your site — browsers will refuse to connect over plain HTTP. Start with a short max-age (e.g., 300 seconds) and increase it gradually after confirming HTTPS works reliably.

Q: Does HSTS protect email?

HSTS is a browser-level protection for HTTP connections. It does not directly protect email (SMTP). However, HSTS protects webmail interfaces and any web-based email administration panels. For email transport encryption, MTA-STS serves a similar role by enforcing TLS on SMTP connections.

HSTS is a web security mechanism that tells browsers to only communicate with a server over HTTPS. It prevents protocol downgrade attacks and cookie hijacking by ensuring all connections are encrypted.

How HSTS Works

When a server responds with the Strict-Transport-Security header, the browser remembers that the domain requires HTTPS. For the duration specified by max-age, the browser automatically converts any HTTP request to that domain into HTTPS — before making the request.

A typical HSTS header looks like: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Why HSTS Matters

Without HSTS, the first request to a site might go over HTTP before a redirect to HTTPS. During that brief window, an attacker on the same network can intercept the connection — a technique called SSL stripping. HSTS eliminates this vulnerability by ensuring the browser never even attempts an insecure connection after the first visit.

HSTS Preload List

The HSTS preload list is built into all major browsers. Domains on this list always require HTTPS, even on the very first visit. To qualify, your HSTS header must include includeSubDomains and preload directives with a max-age of at least one year (31536000 seconds).

Frequently Asked Questions

What is the HSTS preload list?

A list of domains hardcoded into browsers that always require HTTPS. Once your domain is on it, browsers never make insecure requests to your site — even on the first visit. Submit at hstspreload.org.

Can HSTS cause problems?

Yes. If your SSL certificate expires while HSTS is active, users cannot access your site at all — the browser will refuse to fall back to HTTP. Start with a short max-age and increase it gradually after confirming HTTPS is fully reliable.

Does HSTS protect email?

HSTS protects web traffic, not SMTP email transport. It does protect webmail interfaces. For enforcing TLS on email delivery, see MTA-STS, which serves a similar purpose for SMTP.

How HSTS Works

A typical HSTS header looks like: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Why HSTS Matters

Frequently Asked Questions

What is the HSTS preload list?

Can HSTS cause problems?

Does HSTS protect email?

HSTS protects web traffic, not SMTP email transport. It does protect webmail interfaces. For enforcing TLS on email delivery, see MTA-STS, which serves a similar purpose for SMTP.