Legal Disclaimer:

This platform is for authorized security research and educational purposes ONLY. Scanning assets without explicit permission is illegal.

HTTP Security Header

Strict-Transport-Security (HSTS)

Forces browsers to only interact with the server using secure HTTPS connections, rather than insecure HTTP.

Configuration Snapshot

Header Name
Strict-Transport-Security (HSTS)
Primary Mitigation
Man-in-the-Middle (MitM) attacks, SSL Stripping

Example Configuration

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Implementation Best Practices

  • Set a long max-age (e.g., 2 years)
  • Include all subdomains using the includeSubDomains directive
  • Submit the domain to the HSTS preload list

Audit Your Configuration

Properly implementing Strict-Transport-Security (HSTS) is critical for achieving a robust security posture. A misconfigured header can leave your application exposed to client-side attacks or accidentally block legitimate functionality. Use our Security Headers auditing tool to evaluate your live production setup.

Scan Your Website

Related Security Tools

Header Scanner
Live configuration audit
Exposure Check
Full domain security scan

Topical Cluster