Security Headers

HSTS Explained: HTTP Strict Transport Security for UK Web Teams

HTTP Strict Transport Security forces browsers to use HTTPS for your domain — even when users type http://. This guide explains HSTS, the preload list, and how to implement it safely.

24 April 20266 min read#HSTS#HTTPS#security headers

The problem HSTS solves

When a user types yourcompany.co.uk into a browser, the browser first makes an HTTP request to port 80, then — if your server redirects — follows the redirect to HTTPS. That initial HTTP request is unencrypted and visible to anyone on the same network.

SSL stripping attacks exploit this window. An attacker on a shared network (coffee shop Wi-Fi, hotel network) intercepts the HTTP request and serves a non-HTTPS version of your site, removing the redirect. The user sees your content over HTTP, the attacker sees everything in the clear.

HSTS closes this window by instructing browsers to never connect to your domain over HTTP. Once a browser has received the HSTS header, it will automatically upgrade any future HTTP request to HTTPS without making the initial unencrypted connection.

The header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age=31536000 — remember this policy for one year (in seconds)
  • includeSubDomains — apply to all subdomains of your domain
  • preload — signal intent to be included in browser preload lists

Safe HSTS deployment

HSTS is very easy to deploy incorrectly in a way that locks users out of your site. Follow these steps:

  1. Make sure all your subdomains support HTTPS before adding includeSubDomains. If legacy.yourdomain.com still serves over HTTP, HSTS will break it for visitors who have already received the header.
  2. Start with a short max-age (300 seconds) to verify everything works before committing to a long-duration policy.
  3. Gradually increase max-age — 1 day, 1 week, 1 month — before settling on 1 year.
  4. Add preload last, only when you are confident the policy is correct and permanent.

The HSTS preload list

The HSTS preload list is a hardcoded list of domains that is shipped with every major browser. Even on a user's first ever visit to your domain, the browser knows to use only HTTPS — eliminating the brief window where the HSTS header has not yet been received.

To qualify for preloading, your domain must:

  • Serve a valid HTTPS response on the apex domain and all subdomains
  • Have an HSTS header with max-age of at least 1 year
  • Include includeSubDomains and preload
  • Have all subdomains accessible over HTTPS

Submit at hstspreload.org. Browser vendors pull from this list on each browser release. Removal from the list takes months to propagate — treat preloading as permanent.

Checking your HSTS configuration

VP Shield checks for the HSTS header as part of the HTTP security headers section of every domain scan. It reports the max-age duration, whether includeSubDomains is present, and whether the header qualifies for preload submission.

Check your domain security now

VP Shield runs a free passive scan on any domain — DNS, TLS, email authentication, security headers, subdomain takeover risk. No login, no install, two minutes.

Scan a domain free →Book a strategy call

Related Articles