Glossary · Security

HSTS (HTTP Strict Transport Security)

An HTTP header that tells browsers to ONLY connect to this site over HTTPS, never plain HTTP, for the next N seconds.

Diagram explaining HSTS (HTTP Strict Transport Security)

HSTS solves a subtle but real attack: even when a site uses HTTPS, attackers can intercept the initial plain-HTTP request (before the redirect to HTTPS fires) and either downgrade the connection or strip the redirect entirely. HSTS prevents this by telling the browser "after seeing me this once, NEVER connect to me without HTTPS again."

A typical HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Components:

  • max-age=31536000 — the browser remembers the HSTS directive for 1 year (in seconds). After that it can be revisited via plain HTTP.
  • includeSubDomains — also enforce HSTS for all subdomains of this host.
  • preload — consent to be included in the browser's built-in HSTS preload list (see below).

HSTS preload takes the protection one step further: rather than relying on the browser having seen the site once, you can submit your domain to hstspreload.org to be included in a list shipped with every browser. The browser then enforces HTTPS-only for your domain from the first visit, even if it's never connected before.

Trade-off: HSTS-preloaded domains can't go back to HTTP. Make sure your entire site (including all subdomains if you use that directive) is HTTPS-only before submitting.

Modusdom's production sites all use HSTS with a 1-year max-age and includeSubDomains. We're preload-ready but not yet preloaded.

Now the jargon makes sense — let us handle the rest.

You learned what it means; we'll set it up. Register your domain, get email that lands in the inbox, and never decode a renewal bill again — flat pricing, free privacy, real human support.

No upsells at checkout · Free WHOIS privacy · Same price every year · Transfer out free, anytime

Find your domain See flat pricing