๐Ÿ”’
blog.cat.ssl

HSTS header: forcing HTTPS

12.05.2025
โ† All articles

HSTS tells browser 'this site is always HTTPS'.

Why

301 redirect isn't enough โ€” first HTTP connection possible (MITM).

Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS Preload List

hstspreload.org โ€” Google list. All browsers know.

Caution

Once enabled โ€” hard to roll back. Test carefully.

Related articles

๐Ÿ“ฑ SSL pinning: the strongest defense against MITM attacks in mobile apps ๐Ÿค SSL handshake process: the inner mechanics of TLS negotiation step by step ๐Ÿ”“ HTTPS padlock disappeared: causes and step-by-step fixes โฐ Monitoring SSL certificate expiry: alert services and automation tools
๐ŸŒ Language
๐Ÿ‡บ๐Ÿ‡ฟ O'zbek ๐Ÿ‡บ๐Ÿ‡ฟ ะŽะทะฑะตะบ ๐Ÿ‡ท๐Ÿ‡บ ะ ัƒััะบะธะน ๐Ÿ‡ฌ๐Ÿ‡ง English โœ“