Strict-Transport-Security (HSTS): Copy-Paste + Preload

Strict-Transport-Security (HSTS) tells browsers to only ever connect over HTTPS for a set time. It blocks SSL-strip downgrade attacks — but it’s sticky, so roll it out carefully.

The value

Strict-Transport-Security: max-age=31536000; includeSubDomains

• max-age=31536000 — 1 year, in seconds.
• includeSubDomains — applies to every subdomain (only add once they’re all HTTPS).
• preload — see below; only with the two options above and max-age ≥ 1 year.

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Caddy

Caddy serves HTTPS by default and you can add HSTS explicitly:

header Strict-Transport-Security "max-age=31536000; includeSubDomains"

_headers (Cloudflare Pages / Netlify)

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains

Preload (optional, advanced)

To be hard-coded into browsers’ preload lists, add preload and submit at hstspreload.org:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Verify

curl -sI https://yourdomain.com | grep -i strict-transport-security

Rollback caveat: browsers cache HSTS for the whole max-age. To back out, serve max-age=0 and let clients hit the site to clear it — but preload removal is slow (weeks to months). Start with a short max-age (e.g. 300), confirm nothing breaks, then raise it.