HTTP Strict-Transport-Security header explained

A policy that protects web users from “man in the middle” attacks

The rise in internet use has come with an increased risk level that puts website users and owners at risk of being cyber attacked. For instance, if a user types the name of a website that uses HTTPS without including all the characters correctly, the web browser can redirect that user to the right site. For example, someone intending to visit can type [] or even, and they will redirect to the main site. However, during the redirecting process, users are susceptible to hackers who may take the opportunity to redirect them to a malicious site. This is where HTTP Strict-Transport-Security Header comes in. It informs browsers to avoid loading a site that uses HTTP and directs such searches to HTTPS instead.

Therefore, HTTP Strict Transport Security Header is a policy that protects web users from “man in the middle attacks.” With this mechanism, there is a reduced risk of threats such as cookie hijacking and protocol downgrade attacks. With the HTTPS protocols, the browsers interact with connections that have transport layer security only, supporting enhanced security.

How does the Strict-Transport-Security affect the website and security?

Besides preventing man-in-the-middle attacks, HTTP Strict Transport Security Header also helps prevent eavesdropping and mixed content overrides. Additionally, it helps prevent overriding click-through certificates and uploading of JavaScript in connections that aren’t secure. These are factors that can affect website and server usage by making it easier for hackers to get their way. With the header, you get protection, which results in better overall use of the website and browsers.

HTTP Strict Transport Security was invented to bridge the gap that HTTP could not. Its main purpose is to guarantee end-to-end security by having encrypted communication between browsers and website servers. It doesn’t just help with correct certificates during redirecting. It also helps with all future visits by allowing the browser to remember the site as HTTPS only for a specified duration. It does this by specifying three directives which are:

  • MAX-AGE: this directive tells the browser how long it should remember the website as an HTTPS only. The values are usually given second and are effective for a year, which means that the browser will remember the site for 31536000. As such, if your website has 0 seconds value, the browser will delete its header policy and treat it as a new website the next time a user search for it.
  • INCLUDESUBDOMAINS: while the first directive is mandatory, this one is optional. It allows browsers to apply the HTTP Strict Transport Security Header to a domain and all its subdomains. With this, all the subdomains, especially those with www ones, will have all the security aspects mentioned above. It also has values in seconds and is effective for at least a year.
  • PRELOAD: this shows that a website has applied for the HTTP strict transport security header policy and meets all the requirements. It is also optional.


With HTTP Strict Transport Security Header, you will have a more secure website. Some of the requirements your site should meet before you apply for the policy include having a valid SSL certificate with all your subdomains covered in it, have a max-age of at least 10886400, and a specified preload directive if you choose to have them.

Downtime Happens. Get Notified!

Uptime, SEO and Vulnerability monitors

for your website, totally free