HTTP Strict Transport Security (HSTS) is a web security policy that tells browsers to only connect to your site over HTTPS, preventing downgrade attacks and cookie hijacking.

What max-age value should I use?

For production sites, at least 1 year (31536000 seconds) is recommended. For HSTS preload list submission, 2 years (63072000 seconds) is the recommended minimum.

What does includeSubDomains do?

When set, the HSTS policy applies to all subdomains as well. Only enable this if every subdomain serves valid HTTPS — otherwise some subdomains may become unreachable.

What is the preload flag?

The preload directive signals your intent to be included in browser HSTS preload lists. Preload requires max-age of at least 31536000 (1 year) and includeSubDomains must also be set.

Can I remove HSTS once set?

Yes, but browsers cache the header for the duration of max-age. To remove HSTS quickly, serve the header with max-age=0. If you submitted to the preload list, removal can take months.

HSTS Header Generator

Name: HSTS Header Generator
Availability: InStock
Author: Nham Vu

Configure max-age, includeSubDomains, and preload options to generate a ready-to-use Strict-Transport-Security header with server config snippets.

Configure HSTS Header

max-age (seconds)

Presets

includeSubDomains

Apply HSTS to all subdomains

preload

Signal intent for HSTS preload list inclusion

Generated Header

Strict-Transport-Security: max-age=31536000

Server Config Snippets

Copied!

Summary