HTTPS redirects protect most connections — but not the very first one. When a visitor types your domain without https://, their browser makes an initial unencrypted request before the redirect kicks in. HSTS closes that window.
What HSTS does
HSTS (HTTP Strict Transport Security) is a response header that instructs browsers to never connect to your site over HTTP again — for a specified period, typically one year. Once a browser has seen your HSTS header, it enforces HTTPS internally before any network request is made.
The gap it closes is small but exploitable: SSL stripping attacks intercept that initial unencrypted request and downgrade the connection before the redirect happens. HSTS makes this impossible.
What happens without it
- SSL stripping attacks can intercept first-visit connections, especially on public Wi-Fi
- Enterprise buyers' security scanners flag missing HSTS — it appears on supplier questionnaires
- Cyber insurance applications increasingly list HSTS as a baseline web security control
- Without HSTS, your HTTPS setup is technically incomplete from a security standards perspective
What fixing it involves
HSTS is a single response header added to your web server or CDN configuration:
Strict-Transport-Security: max-age=31536000; includeSubDomains
HTTPS must be fully working before enabling HSTS. If you add HSTS while HTTPS has problems, browsers will refuse to load your site entirely — and the only fix is waiting for the max-age to expire.
What your domain scores right now
Run the free DomainScores check to see your current HSTS grade alongside 34 other security checks — instant, no signup.
Don't want to do this yourself? Domain Fix from €1,197 — we configure HSTS and every other failing check. Grade B+ guaranteed, or your money back.