HSTS
HTTP Strict Transport Security. A response header that tells browsers 'never load this domain over plain HTTP again'. Forces HTTPS-only.
HSTS (HTTP Strict Transport Security, RFC 6797) is an HTTP response header that tells browsers to refuse plain HTTP for your domain. Once a browser sees the header, every future request to your domain auto-upgrades to HTTPS, even if the user types http://.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age=31536000— remember this for one year.includeSubDomains— applies to all subdomains too.preload— opt into the HSTS preload list (more on that below).
Why HSTS matters
Without HSTS, a man-in-the-middle attacker on the network can intercept the FIRST request a user makes to your domain (the one before the redirect to HTTPS) and strip the redirect. HSTS removes that window: after the first HTTPS visit, the browser will never make a plain HTTP request to your domain again.
The HSTS preload list
Submit your domain to hstspreload.org and Chrome, Firefox, Safari, Edge ship with your domain already on the list. Even a first-time visitor on a fresh browser hits HTTPS only. No vulnerable first request.
To preload, you need:
- A valid HTTPS cert at the apex.
- HSTS header with
max-age >= 31536000(1 year),includeSubDomains, andpreload. - All subdomains also working over HTTPS.
HSTS for SaaS custom domains
If your SaaS sets HSTS headers on responses served for customer domains, and includeSubDomains is set, you're committing the customer's domain to HTTPS-only forever (within the max-age window).
Be careful: a customer with a non-HTTPS subdomain elsewhere (e.g., legacy.acme.com on a different platform) will break for users whose browser has cached your HSTS policy. Either don't set includeSubDomains on customer domains, or make sure customers know what they're opting into.