What it is
An HSTS (HTTP Strict Transport Security) header tells browsers to refuse plaintext HTTP and always negotiate HTTPS for a defined period. When a site omits the header, browsers may accept downgraded or manipulated connections whenever an attacker tampers with the first request—especially on untrusted Wi-Fi, captive portals, or shared networks. Without HSTS, attackers can bypass TLS by stripping redirects, surfacing certificate warnings, or forcing mixed-content scenarios.
Why it matters
Even if every page loads over HTTPS during normal use, the lack of an HSTS policy leaves room for downgrade attacks. Adversaries can intercept the initial request, point users at a clone over HTTP, and steal or alter data long before the secure session begins. That gap enables:
- Credential theft
- Session hijacking
- Injection of malicious content
How to reduce risk
- Serve the
Strict-Transport-Securityheader with a longmax-agevalue (6–12 months+). - Add
includeSubDomainswhen all subdomains must inherit HSTS. - Use the
preloaddirective and submit the domain to the official HSTS preload list after validating readiness. - Continuously test TLS/HTTPS using external scanners to confirm the policy is in place and respected.