How Do I Enable HSTS on My Web Server?


Larry Thompson

How Do I Enable HSTS on My Web Server?

If you want to enhance the security of your website and protect it against certain types of attacks, enabling HTTP Strict Transport Security (HSTS) is a great step in the right direction. HSTS ensures that all communications between the web browser and the server are carried out over a secure HTTPS connection, making it virtually impossible for attackers to intercept sensitive information or launch man-in-the-middle attacks.

What is HSTS?

HSTS stands for HTTP Strict Transport Security. It is a web security policy mechanism that allows websites to inform web browsers that they should only interact with them securely via HTTPS, rather than using HTTP. Once a browser receives this instruction from a website, it will automatically convert all future HTTP requests into secure HTTPS requests for that particular domain.

HSTS helps prevent various types of attacks, including SSL-stripping attacks, where an attacker forces a user’s browser to downgrade from HTTPS to HTTP, leaving their communication vulnerable to interception and manipulation.

Enabling HSTS on Your Web Server

To enable HSTS on your web server, follow these steps:

  1. Check if your web server supports HSTS:

    • Open your terminal or command prompt.
    • Type the following command: curl -I
    • If you see the header “Strict-Transport-Security” in the response, it means your server already supports HSTS. In this case, you can skip to step 3.
  2. Configure your web server:

    • Open your web server configuration file (e.g., httpd.conf for Apache or nginx.conf for Nginx).
    • Add the following line to enable HSTS:
    • Strict-Transport-Security: max-age=31536000;

      This line tells the browser to enforce HSTS for your domain for a period of one year (31536000 seconds).

  3. Test your HSTS configuration:

    • Restart your web server.
    • Open your website in a browser.
    • In the browser’s developer tools, go to the Network tab and check if all requests are made over HTTPS. You can also use online tools like the SSL Server Test by Qualys SSL Labs to verify your HSTS configuration.

HSTS Preload List

In addition to enabling HSTS on your own web server, you can also submit your domain to the HSTS preload list. The preload list is built into major browsers, and it ensures that HSTS is always enforced for your domain, even for first-time visitors who have never accessed your website before. This provides an extra layer of security.

To submit your domain to the preload list, follow these steps:

  1. Visit the following website:
  2. Enter your domain and click on the “Submit” button.
  3. Review the requirements and make sure your website meets all of them.
  4. If your website meets the requirements, submit the form.
  5. Wait for your domain to be reviewed and added to the preload list. This process may take some time.


Enabling HSTS on your web server is a crucial step in improving the security of your website and protecting your users’ information. By enforcing secure HTTPS connections, you can significantly reduce the risk of various attacks and ensure that your visitors’ data remains safe. Remember to test your configuration and consider submitting your domain to the HSTS preload list for maximum security.

Discord Server - Web Server - Private Server - DNS Server - Object-Oriented Programming - Scripting - Data Types - Data Structures

Privacy Policy