How Do You Enforce HSTS on a Web Server?


Scott Campbell

Enforcing HTTP Strict Transport Security (HSTS) on a web server is an essential step in ensuring secure and encrypted communication between the server and the client. HSTS helps protect against various attacks, such as man-in-the-middle attacks, by forcing the browser to only communicate with the server over HTTPS.

What is HSTS?

HSTS is a security feature that allows a website to specify that it should only be accessed over HTTPS. When a browser receives an HSTS response header from a website, it remembers this information and automatically converts all future HTTP requests for that domain to HTTPS.

Why Enforce HSTS?

Enforcing HSTS provides several benefits:

  • Improved Security: By enforcing HSTS, you eliminate the risk of users accessing your website over an unencrypted connection.
  • Protection Against Attacks: HSTS prevents attackers from intercepting or modifying communication between the browser and the server.
  • Better SEO Ranking: Search engines prioritize HTTPS websites, so enforcing HSTS can positively impact your search engine ranking.

Enforcing HSTS on your Web Server

To enforce HSTS on your web server, follow these steps:

Step 1: Enable HTTPS

The first step is to ensure that your website is accessible over HTTPS. Obtain an SSL/TLS certificate and configure your web server to use it for secure connections.

Step 2: Add the HSTS Header

To enable HSTS, you need to add the following HTTP response header to all responses from your web server:

<IfModule mod_headers.c>
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The Strict-Transport-Security header specifies the HSTS policy. The max-age directive sets the duration (in seconds) for which the browser should remember to enforce HTTPS. In this example, it is set to one year.

The includeSubDomains directive ensures that all subdomains are also covered by the HSTS policy.

The preload directive allows your website to be included in the HSTS preload list maintained by browsers, providing an additional layer of security.

Step 3: Test and Deploy

After adding the HSTS header, test your website using online tools like These tools will verify that your website is correctly enforcing HSTS and provide recommendations if any issues are found.

Once you have tested and verified everything, deploy the changes to your web server configuration.


HSTS is a crucial security feature that helps protect your website and users from various attacks. By enforcing HSTS on your web server, you can ensure secure and encrypted communication, improve your website’s security posture, and potentially enhance your search engine ranking. Follow the steps outlined in this article to enforce HSTS on your web server and enjoy a safer browsing experience for your users.

Discord Server - Web Server - Private Server - DNS Server - Object-Oriented Programming - Scripting - Data Types - Data Structures

Privacy Policy