HSTS: Close the Gap That Lets Attackers Intercept Your Traffic | DomainScores

HSTS forces browsers to always use HTTPS — closing the unencrypted window that exists on every first connection. Required by enterprise buyers and most insurers.

HTTPS redirects protect most connections — but not the very first one. When a visitor types your domain without https://, their browser makes an initial unencrypted request before the redirect kicks in. HSTS closes that window.

What HSTS does

HSTS (HTTP Strict Transport Security) is a response header that instructs browsers to never connect to your site over HTTP again — for a specified period, typically one year. Once a browser has seen your HSTS header, it enforces HTTPS internally before any network request is made.

The gap it closes is small but exploitable: SSL stripping attacks intercept that initial unencrypted request and downgrade the connection before the redirect happens. HSTS makes this impossible.

What happens without it

  • SSL stripping attacks can intercept first-visit connections, especially on public Wi-Fi
  • Enterprise buyers' security scanners flag missing HSTS — it appears on supplier questionnaires
  • Cyber insurance applications increasingly list HSTS as a baseline web security control
  • Without HSTS, your HTTPS setup is technically incomplete from a security standards perspective

What fixing it involves

HSTS is a single response header added to your web server or CDN configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains

HTTPS must be fully working before enabling HSTS. If you add HSTS while HTTPS has problems, browsers will refuse to load your site entirely — and the only fix is waiting for the max-age to expire.

What your domain scores right now

Run the free DomainScores check to see your current HSTS grade alongside 34 other security checks — instant, no signup.


Don't want to do this yourself? Domain Fix from €1,197 — we configure HSTS and every other failing check. Grade B+ guaranteed, or your money back.