HSTS Preloading: How to Enforce HTTPS Permanently
What is HSTS and what problem does it solve?
Without HSTS, the first request to a site often happens over HTTP - when a user types example.com without https://, clicks an HTTP link, or follows a bookmark saved before HTTPS was deployed. An attacker on the same network (public Wi-Fi, compromised router) can intercept this HTTP request and prevent the redirect to HTTPS.
The HSTS header solves this by telling the browser: “For the next [max-age] seconds, always use HTTPS for this domain, even if the user types http:// or clicks an HTTP link.”
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadOnce a browser receives this header over a valid HTTPS connection, it enforces HTTPS for the specified duration. HTTP requests are automatically upgraded to HTTPS without ever reaching the network.
How do you deploy HSTS safely?
Step 1: Start with a short max-age.
Strict-Transport-Security: max-age=300This enforces HTTPS for only 5 minutes. If something breaks, the effect expires quickly.
Step 2: Test thoroughly. Verify all pages load correctly over HTTPS. Check for mixed content warnings (HTTP resources on HTTPS pages). Test forms, APIs, and integrations.
Step 3: Increase max-age gradually.
Strict-Transport-Security: max-age=86400One day. Then one week (604800). Then one month (2592000). Monitor for issues at each stage.
Step 4: Add includeSubDomains.
Strict-Transport-Security: max-age=2592000; includeSubDomainsThis applies HSTS to all subdomains. Before adding this, verify every subdomain supports HTTPS. A subdomain without HTTPS becomes inaccessible.
Step 5: Increase to one year and add preload.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadStep 6: Submit for preloading at hstspreload.org. The site validates your configuration and submits your domain for inclusion in browser preload lists.
What are the risks of HSTS preloading?
Before preloading, verify:
- Every subdomain supports HTTPS. Not just the ones you know about - use EASM discovery to find all subdomains, including forgotten ones.
- No internal services use HTTP. Services on subdomains that are only accessible internally still fail if accessed through a browser with the preload list.
- You are committed. Preloading is designed to be permanent. While removal is possible, it takes 6-12 weeks to propagate through Chrome, Firefox, Safari, and Edge release cycles.
If you are not ready for preloading, standard HSTS with max-age=31536000; includeSubDomains (without preload) still provides strong protection for returning visitors.
How SurfaceLoop handles this
SurfaceLoop checks HSTS configuration across all your domains and subdomains. It identifies missing HSTS headers, short max-age values, and domains eligible for preloading. It also discovers subdomains that lack HTTPS support - a critical check before adding includeSubDomains or submitting for preloading.
See Security Headers feature →Frequently asked questions
- What is HSTS preloading? +
- HSTS preloading is the process of submitting your domain to browser-maintained lists that enforce HTTPS from the very first visit. Once preloaded, browsers will never make an HTTP connection to your domain - even on the first visit before receiving the HSTS header. This eliminates the 'first visit' vulnerability that standard HSTS leaves open.
- Can I undo HSTS preloading? +
- Technically yes, but removal takes months. You can submit a removal request at hstspreload.org, but the change must propagate through browser release cycles. During this time, any subdomain that does not support HTTPS will be inaccessible. Only preload when you are certain all subdomains support HTTPS permanently.
- What are the requirements for HSTS preloading? +
- The domain must serve a valid HTTPS certificate, redirect all HTTP traffic to HTTPS, serve the HSTS header on the base domain with max-age of at least 31536000 (one year), include the includeSubDomains directive, and include the preload directive. All subdomains must also support HTTPS.
- Does HSTS affect SEO? +
- HSTS itself does not directly affect search rankings, but it ensures all connections use HTTPS, which is a confirmed Google ranking factor. HSTS also prevents mixed-content issues and protocol downgrade attacks that could trigger browser warnings, which negatively impact user experience and indirectly affect SEO.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.