You have installed an SSL certificate. You have set up a 301 redirect to send all traffic from HTTP to HTTPS. You think you are secure.
You might be wrong.
There is a small window of vulnerability called the “First Visit Gap.” When a user types yoursite.com into their browser (without https://), the browser first sends a request to the insecure http:// version. Your server then replies: “Hey, move to HTTPS.”
In that split second before the redirect happens, a sophisticated hacker on the same Wi-Fi network can launch an SSL Stripping attack, intercepting the connection and keeping the user on HTTP without them noticing.
HSTS (HTTP Strict Transport Security) is the solution to this problem. It is a security instruction that tells browsers: “Never, ever talk to this site over HTTP again. Even if the user asks for it.”
In this guide, we will explain how HSTS works, the risks of using it, and the exact code to implement it correctly.
How HSTS Works
HSTS is a response header sent by your web server. It looks like this:
HTTP
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Here is what those directives mean:
- Strict-Transport-Security: The name of the header.
- max-age=31536000: Tells the browser to remember this rule for 1 year (31,536,000 seconds).
- includeSubDomains: Tells the browser this rule applies to
blog.yoursite.com,dev.yoursite.com, and all other subdomains. - preload: Consents to having your domain hardcoded into Chrome/Firefox/Safari as “HTTPS Only” (more on this later).
Once a browser sees this header, it will internally redirect all future requests to HTTPS before they ever leave the user’s device. The insecure HTTP request is never sent.
Why Is HSTS Important?
1. Defeats SSL Stripping
Tools like sslstrip can trick a browser into downgrading a connection. HSTS makes this impossible because the browser refuses to load the site over HTTP.
2. Prevents Mixed Content Issues
Since the browser forces every request to HTTPS, it can sometimes fix accidental HTTP links (images/scripts) by upgrading them automatically.
3. SEO Benefit
Google has confirmed that HSTS is a positive signal for their “HTTPS Everywhere” initiative. It also improves load times slightly by removing the server-side redirect step for returning visitors.
The Danger Zone: Read Before You Enable
HSTS is powerful, but it comes with a risk: It caches the instruction in the user’s browser.
If your SSL certificate expires, breaks, or if you decide to move a subdomain back to HTTP, users will be completely locked out of your site. They will see a scary “Your connection is not private” error, and they cannot click “Proceed anyway.”
The Golden Rule of HSTS Deployment:
Start with a short time (max-age) and test. Do not jump to 1 year immediately.
How to Configure HSTS in WordPress
You don’t configure this in the WordPress dashboard. You configure it at the server level (Apache or Nginx) or via Cloudflare.
Method 1: Apache (.htaccess)
Add this to your .htaccess file inside the IfModule mod_headers.c block.
Phase 1: Testing (5 Minutes)
Apache
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=300; includeSubDomains"
</IfModule>
Phase 2: Production (1 Year – Standard)
Apache
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
Method 2: Nginx Configuration
Add this line to your server block (/etc/nginx/sites-available/yoursite):
Nginx
server {
listen 443 ssl http2;
server_name yoursite.com;
# HSTS (ngx_http_headers_module is required) (1 Year)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# ... rest of config
}
Method 3: Cloudflare (Easiest)
If you use Cloudflare, you can enable HSTS with a toggle switch.
- Go to SSL/TLS → Edge Certificates.
- Scroll down to HTTP Strict Transport Security (HSTS).
- Click Enable HSTS.
- Follow the prompts to set the
max-ageandincludeSubDomains.
Advanced: The HSTS Preload List
Even with HSTS, the very first time a user visits your site, they are still vulnerable because their browser hasn’t seen the header yet.
To fix this, Google maintains the HSTS Preload List. This is a hardcoded list of domains built into Chrome, Firefox, Safari, and Edge. If you are on this list, browsers know to use HTTPS before the first connection is ever made.
Requirements to join the Preload List:
- Serve a valid certificate.
- Redirect all HTTP to HTTPS.
- Serve the HSTS header on the HTTPS root domain.
- Set
max-ageto at least 1 year (31536000). - Must include
includeSubDomains. - Must include
preload.
How to Submit:
Visit hstspreload.org, enter your domain, and check eligibility.
Warning: Removal from the preload list takes months. Only do this if you are 100% committed to HTTPS forever on all subdomains.
How to Verify HSTS is Working
1. Browser Developer Tools
- Open Chrome DevTools (F12) → Network tab.
- Reload your site.
- Click the first request (https://www.google.com/url?sa=E&source=gmail&q=yoursite.com).
- Look under Response Headers for
Strict-Transport-Security.
2. FunSentry Scan
FunSentry checks your HTTP headers as part of its security audit.
- Missing Header: We flag it as a “Low/Medium” risk.
- Weak Configuration: We warn you if
max-ageis too short for SEO standards. - Preload Ready: We verify if your syntax matches the requirements for the Preload list.
Summary Checklist
| Setting | Recommendation | Why? |
| Max-Age | 31536000 (1 Year) | Required for Preload list; best for security. |
| SubDomains | includeSubDomains | Protects blog., mail., dev. subdomains. |
| Preload | preload | Allows you to submit to the browser hardcode list. |
| Deployment | Ramp Up Slowly | Start with 5 mins -> 1 week -> 1 month -> 1 year. |
Is your site enforcing strict security?
Don’t let your visitors browse insecurely for even a second. Run a free header check at FunSentry to see if HSTS is active and correctly configured for your WordPress site.