Tells browsers to always use a secure, encrypted connection to your site — and never accept an unencrypted one, even if someone tries to trick them into it.
When someone types your website address into a browser, the browser first tries to connect using plain, unencrypted HTTP before being redirected to HTTPS. That split second of unencrypted connection is an opportunity for an attacker — especially on public Wi-Fi — to intercept the request and serve a fake version of your site. This attack is called SSL stripping.
HSTS fixes this by making the browser remember: "This site has promised it always uses HTTPS. Never even attempt HTTP." After the first visit, the browser skips the unencrypted step entirely for the duration of the max-age period.
Imagine a bank that only accepts customers through its secure side entrance. HSTS is like the bank giving every customer a card that says: "Never use the front door — it's always the side entrance." Even if someone redirects you to the front door, you'll ignore them because you know better.
The server sends no HSTS header. Every single visit starts with a brief unencrypted HTTP request. On a coffee shop Wi-Fi, an attacker running a man-in-the-middle tool can intercept this and serve a fake login page.
Strict-Transport-Security: max-age=300
max-age=300 means 5 minutes. After 5 minutes, the browser forgets and will try HTTP again. Almost no protection.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
One year max-age. includeSubDomains extends protection to all subdomains. preload allows submission to browser preload lists so even first-time visitors are protected.
Add the header in your web server or hosting configuration. Choose your platform:
Add inside your server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Add to your .htaccess or VirtualHost config:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Go to SSL/TLS → Edge Certificates and enable HTTP Strict Transport Security (HSTS). Cloudflare provides a toggle with options for max-age and includeSubDomains — no code changes needed.
Install the Headers Security Advanced & HSTS WP plugin, or add the header via your functions.php file using header(). Most managed WordPress hosts (WP Engine, Kinsta) have HSTS toggles in their dashboards.
Only add preload when you're certain your entire domain and all subdomains will always support HTTPS. Removal from the preload list takes months and can lock visitors out if you ever need to serve HTTP. Start with just max-age=31536000; includeSubDomains and add preload later.