Your website has an SSL certificate. It loads over HTTPS. The padlock is there. Surely you are covered?

Not entirely. There is a specific type of attack — called SSL stripping — that can silently remove your encryption even when it is properly configured, leaving your visitors exposed without their knowledge. HSTS is the defence, and it is a single line of configuration.

What Is HSTS?

HSTS stands for HTTP Strict Transport Security. It is a security header — a small instruction your web server includes alongside every page response — that tells browsers to load your website over HTTPS only, never over plain HTTP.

Once a browser receives your HSTS header, it will refuse to load your site over HTTP for the duration you specify. If an attacker or a misconfigured link tries to load your site without encryption, the browser ignores it and uses HTTPS automatically — without asking, without warning, without giving the attack a chance to succeed.

What Is SSL Stripping and Why Is It a Real Risk?

SSL stripping was first demonstrated publicly by security researcher Moxie Marlinspike in 2009. The attack works like this:

A visitor connects to a public Wi-Fi network — say, in a coffee shop. An attacker on the same network positions themselves between the visitor and the internet. When the visitor types your website address, their browser often starts over plain HTTP before being redirected to HTTPS.

The attacker intercepts that initial HTTP request, maintains an encrypted connection to your server, but serves the visitor a plain HTTP version of your site. The visitor’s browser shows no padlock. They may not notice — especially on a mobile device or if they are in a hurry. Everything they type — login credentials, contact form data, payment information — is visible to the attacker in plain text.

Tools like sslstrip, which automate this attack, are freely available online and require no technical sophistication to run.

Why HTTPS Alone Does Not Close This Gap

The key vulnerability is the first connection. If a visitor types yourcompany.co.uk rather than https://yourcompany.co.uk, their browser’s first request is HTTP. Your server redirects them to HTTPS. But that gap — between the initial HTTP request and the HTTPS redirect — is where the attack happens.

Without HSTS, the browser has no memory that your site should always be HTTPS. Every first visit, every new browser session, is potentially vulnerable.

With HSTS, the browser remembers your policy. Once a visitor has received your HSTS header, every subsequent visit goes directly to HTTPS — with no initial HTTP request at all.

How to Add HSTS to Your Website

Adding HSTS is a single header in your web server’s configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Breaking this down:

  • max-age=31536000 tells browsers to remember the policy for one year (31,536,000 seconds)
  • includeSubDomains applies the policy to all subdomains of your domain
  • preload opts your domain into the HSTS preload list (see below)

In practice, this is set in your web server configuration (Apache, Nginx, or IIS), or through your hosting control panel or CDN. Cloudflare has a simple HSTS toggle in its SSL settings.

The HSTS preload list is a list maintained by Google and included in all major browsers. If your domain is on it, browsers will use HTTPS for your site even on the very first visit — before they have ever received your HSTS header. You can submit your domain at hstspreload.org once your configuration is correct.

Before Enabling HSTS: Two Cautions

Check all subdomains have valid certificates. HSTS with includeSubDomains is strictly enforced. If any subdomain does not have a valid certificate, it will become inaccessible after HSTS is applied.

Resolve mixed content first. If your HTTPS pages load any resources (images, scripts, stylesheets) over HTTP, fix those before applying HSTS. Mixed content causes errors and must be resolved before HSTS will work cleanly.

What to Do Next

  • Check whether your site already has HSTS. Look at your site’s response headers using your browser’s developer tools or a free online header checker.
  • Add the HSTS header to your web server configuration, CDN, or hosting control panel.
  • Start with a short max-age (e.g., 300 seconds) when first testing, to give yourself room to correct any issues before locking in a year-long policy.
  • Work up to max-age=31536000 and then submit to the preload list once you are confident everything works correctly.
  • Pair HSTS with a valid SSL certificate — the two work together. An expired or invalid certificate will prevent HSTS from functioning.

HSTS is genuinely one of the highest-value, lowest-effort security improvements available to any website. It is a single configuration line, requires no ongoing maintenance, and closes a meaningful gap that HTTPS alone leaves open.

W3IT’s free security check checks whether your website sends the HSTS header and whether it is correctly configured. Run it now and see exactly where you stand.