Should you enable HSTS? max-age, includeSubDomains, and preload
· hsts · https · security-headers · tls · web-security
hstshttpssecurity-headerstlsweb-securityYes — almost every site that serves HTTPS should enable HSTS, but roll it out gradually. HSTS (HTTP Strict-Transport-Security, RFC 6797) is a response header that tells browsers to only ever connect to your domain over HTTPS for max-age seconds. That defeats SSL-strip and downgrade attacks, stops accidental http:// links from leaking cookies in cleartext, and turns a user typo into an automatic HTTPS upgrade. The risk is operational, not theoretical: a too-aggressive policy can lock a subdomain out of the browser, so you start small and ramp.
What the header looks like
A full HSTS header is three directives:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age— how many seconds the browser remembers to force HTTPS.31536000is one year, the common recommendation.includeSubDomains— applies the policy to every subdomain, not just the host that sent the header.preload— opts you into the browser-shipped preload list (more on this below).
Only max-age is required. The header is ignored over plain HTTP — browsers only honor it when it arrives over a valid HTTPS connection.
The trust-on-first-use gap
Plain HSTS has one critical limitation: it only takes effect after the first successful HTTPS visit. The browser has to see the header once before it starts enforcing it. That first request — or any request after the max-age window expires — is still vulnerable to a downgrade attack. This is the exact gap the preload list closes.
Rolling it out without breaking things
Do not start with a year. Start with a small max-age and confirm everything works over HTTPS first:
Strict-Transport-Security: max-age=300
Five minutes of enforcement is cheap to recover from. Load the site, check every path, then add includeSubDomains and verify every subdomain — www, api, mail, staging, the lot — actually serves valid HTTPS. includeSubDomains is the foot-gun: it forces HTTPS on all subdomains, so a single subdomain stuck on HTTP becomes unreachable in the browser until the policy expires. Once you have confirmed full coverage, ramp max-age to 31536000.
Should you preload?
The preload list (hstspreload.org) hardcodes your domain into Chrome, Firefox, Safari, and Edge, so HTTPS is enforced even on the very first visit. To qualify you need max-age of at least 31536000 (one year), plus includeSubDomains, plus the preload directive — and a valid HTTPS setup on the apex and all subdomains. A two-year max-age is the common recommendation for preloaded domains.
Getting on is easy. Getting off is slow and painful: removal propagates through browser release cycles and takes months. Only preload if you are committed to HTTPS-everywhere permanently. If that is your domain, do it — it is the strongest form of the protection.
Backing out
To disable HSTS, set max-age=0 over HTTPS and let browsers see it; they will drop the pinned policy. If you preloaded, you must also submit a removal request and wait out the browser release cycle — there is no fast undo.
Run the check on your domain →
Further reading
- Security headers: the full guide
- Reading a TLS certificate
- RFC 6797 — HTTP Strict Transport Security (HSTS)