What is HSTS?
HSTS (HTTP Strict Transport Security) is a security policy that tells browsers to always connect to a website using HTTPS and never fall back to HTTP.
HSTS & HTTPS security
HSTS Checker FAQs
Clear, risk-aware explanations of HTTP Strict Transport Security, browser enforcement, preload behaviour, certificate failures, and best-practice guidance.
How does HSTS work in practice?
When a browser receives an HSTS header, it stores the policy locally and automatically upgrades all future requests to HTTPS for the duration specified by the max-age directive.
Does running an HSTS check change anything?
No. HSTS checks are read-only inspections of HTTP response headers and do not modify server configuration or browser state.
How do browsers enforce HSTS?
Once HSTS is stored, browsers refuse to load the site over HTTP and block access entirely if HTTPS fails, even if the user attempts to bypass warnings.
What is max-age in HSTS?
The max-age directive defines how long a browser should enforce HTTPS-only access for a domain, measured in seconds.
What does includeSubDomains do?
includeSubDomains applies the HSTS policy to all subdomains, meaning every subdomain must support valid HTTPS for the entire duration.
What is HSTS preload?
HSTS preload is a browser-maintained list that hardcodes HTTPS enforcement directly into browser source code before any network request is made.
Why is HSTS preload risky?
Once preloaded, HTTPS enforcement cannot be bypassed and removal requires approval from browser vendors, often taking months.
What happens if an SSL certificate expires while HSTS is active?
Browsers will block access entirely until a valid certificate is deployed. Users cannot bypass warnings or proceed at their own risk.
Can HSTS cause downtime?
Yes. Any HTTPS misconfiguration, certificate expiry, or trust failure can result in complete site unavailability for all users.
Can HSTS be removed instantly?
No. HSTS remains active in browsers until the max-age expires, and preload removal can take weeks or months.
Should HSTS be tested before deployment?
Yes. HSTS should be tested with low max-age values in staging environments before being deployed to production.
Why does HSTS affect local development?
Browsers remember HSTS policies, which can cause localhost or development domains to be forced to HTTPS unexpectedly.
Does HSTS affect email services?
No. HSTS applies only to web traffic and does not impact SMTP, IMAP, or POP email delivery.
What security benefits does HSTS provide?
HSTS prevents SSL stripping attacks, downgrade attacks, and accidental insecure connections over HTTP.
Who should enable HSTS?
HSTS is best suited for organisations with automated certificate renewal, strong monitoring, and full control over DNS and hosting.
Who should avoid HSTS preload?
Small sites, personal projects, or environments without monitoring and automated renewal should avoid preload entirely.
What are HSTS best practices?
Best practices include gradual rollout, short initial max-age values, avoiding preload prematurely, and continuous certificate monitoring.
Does Velohost store HSTS check results?
No. HSTS checks are performed live and no domains, headers, or results are stored or logged.
Want to try it yourself? Run the HSTS checker or Check SSL certificate health or Inspect DNS configuration
Ready to inspect HSTS status?