HTTP security headers

HTTP Strict Transport Security (HSTS)

What the Strict-Transport-Security header does, why a missing HSTS policy leaves visitors exposed to downgrade attacks, and how WebGuard reports it.

Last updated June 9, 2026

What it is

HSTS is a response header that tells a browser to only ever contact your domain over HTTPS. Once a browser has seen it, it refuses to make a plain-HTTP request to your site at all, even if a user types `http://` or follows an old link.

Why it matters

Without HSTS there is a window, typically the very first request, where a visitor can be silently downgraded to unencrypted HTTP and intercepted on a hostile network. HSTS closes that window for every returning visitor. It is a single header with a large payoff, which is why its absence is a common, easily fixed finding.

How WebGuard checks it

WebGuard reads the response headers your public site returns and reports whether Strict-Transport-Security is present, and whether its policy is strong (a long max-age, ideally covering subdomains). It never sends intrusive requests; it only observes what your server already returns.

A sensible starting configuration:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.