HostingChecker

Glossary

HSTS (HTTP Strict Transport Security)

HSTS is a security header that tells browsers to only ever connect to a site over HTTPS, preventing downgrade and cookie-hijacking attacks.

HSTS (HTTP Strict Transport Security) is a response header that instructs browsers to communicate with a site exclusively over https, never falling back to plain http.

How it works

The server sends a header such as:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

  • max-age — how long (in seconds) the browser should remember the rule.
  • includeSubDomains — apply it to every subdomain.
  • preload — opt into a list baked into browsers so the rule applies even on the very first visit.

Why it matters for hosting

HSTS closes the window where an attacker could intercept the initial insecure request and downgrade it (an SSL-stripping attack). It depends on a correctly configured ssl-tls certificate covering all relevant hostnames.

Be deliberate with long max-age values: once set, browsers refuse insecure connections until it expires, so test your certificate chain first.

See also

HTTPS HTTPS is HTTP layered over TLS encryption, so data exchanged between browser and website stays private, authenticated, and tamper-proof. SSL/TLS SSL/TLS is the encryption protocol that secures connections between browsers and servers, enabling HTTPS and protecting data in transit. DNSSEC DNSSEC adds cryptographic signatures to DNS records so resolvers can verify answers are authentic and have not been forged or tampered with.
All terms