Let’s talk about HSTS. It sounds like a secret code, right? But really, it’s just a smart way to keep your website visitors safe. I use it on all my websites because I want to protect people from sneaky tricks some hackers use. In this post, I’ll walk you through how to turn it on, step by step, whether you’re using Apache or Nginx. I’ll also explain what it means in plain English, so you won’t feel like you’re reading a science textbook.
You won’t need to be a server expert to follow along. If you know how to open your web server’s config file, you’re already halfway there.
What Is HSTS?
HSTS stands for HTTP Strict Transport Security. That’s a mouthful, I know. Let me break it down for you.
- HTTP is how your web browser talks to websites.
- Strict means “no funny business.”
- Transport Security is just a fancy way of saying, “keep things safe while moving.”
When HSTS is turned on, your browser tells itself, “Only use HTTPS when visiting this website.” That means no more loading the insecure version (HTTP) by mistake. And that’s a big win for privacy.
Have you ever typed in a website name, hit Enter, and noticed it first loads the non-secure version before switching to HTTPS? HSTS fixes that. It skips the insecure step and goes straight to the safe one.
Why You Should Care
You might be thinking, “Well, my site already uses HTTPS. Isn’t that enough?” I used to think that too. But HSTS adds an extra layer of safety.
Without HSTS, someone on the same Wi-Fi as you (like at a coffee shop) could trick your browser into thinking the site doesn’t use HTTPS. That’s called a man-in-the-middle attack. It’s not as cool as it sounds—it’s actually pretty shady.
Here’s what HSTS helps with:
- Forces your site to load only over HTTPS
- Blocks users from accidentally visiting the insecure version
- Makes some browser warnings even stronger
Think of HTTPS as the seatbelt, and HSTS as the car lock. They go well together.
What You Need Before You Start
You need to have HTTPS working on your site first. HSTS only works if your site already has a secure certificate (like from Let’s Encrypt). If your site still uses plain old HTTP, fix that first.
Also, make sure you have access to your server settings. This could be:
- A control panel like cPanel or Plesk
- SSH access to your VPS or cloud server
- A hosting dashboard with custom config options
Ready? Let’s pop the hood.
How to Enable HSTS on Apache
I use Apache on a few of my test servers, and turning on HSTS is pretty easy.
- Open your Apache config file. This could be something like:
/etc/apache2/sites-available/your-site.conf- Or inside a
.htaccessfile (but I prefer the main config)
- Find the
<VirtualHost *:443>section. This is for HTTPS. - Add this line inside that block:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Let me explain what that means:
max-age=31536000tells the browser to remember HTTPS for one year.includeSubDomainsmeans subdomains (likeblog.yoursite.com) will also follow the rule.preloadlets you ask browsers to hard-code your site into their HTTPS-only list. (I’ll explain more in a bit.)
- Save the file, then restart Apache:
sudo systemctl restart apache2
If Apache doesn’t throw a fit (no errors), you’re good.
How to Enable HSTS on Nginx
I mostly use Nginx for my websites now—it’s faster and uses fewer resources. Here’s how I add HSTS there.
- Open your Nginx server block config. Usually:
/etc/nginx/sites-available/your-site - Inside the
server {}block that listens on 443 (HTTPS), add this:add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
The always part means “add this header even if something goes wrong.”
- Save, then test the config:
sudo nginx -t - If it says “syntax is ok,” reload Nginx:
sudo systemctl reload nginx
Done. Now your site tells browsers, “Don’t even think about using HTTP again.”
What About Preload?
You saw the word preload in that header line, right? This one’s optional but pretty cool.
Preloading is like asking Google Chrome, Firefox, and other browsers to remember your site as HTTPS-only—even if someone types in just “yourdomain.com.” The browser never even tries HTTP. It already knows to go secure.
But here’s the deal:
- Your site must have a valid HTTPS setup.
- You must include
includeSubDomainsandpreloadin the header. - You have to submit your site to https://hstspreload.org
That’s it. After that, your site becomes part of a giant “safe list” inside browsers.
Things to Watch Out For
When I first turned on HSTS, I made a mistake. I used it on a site where one of the subdomains didn’t have HTTPS yet. That broke stuff. So here’s what I learned:
Before enabling HSTS with includeSubDomains:
- Make sure all subdomains support HTTPS.
- Test them by visiting in your browser with
https://
If you just want to test first:
- Leave off
includeSubDomainsandpreload - Try:
Header always set Strict-Transport-Security "max-age=86400"This only lasts for 1 day.
That way, if something breaks, you’re not stuck for a year.
Quick HSTS Checklist
Here’s a short list to double-check everything:
- ✅ Do you have a working HTTPS setup?
- ✅ Are you editing the right server block (for port 443)?
- ✅ Did you set the right header with the correct syntax?
- ✅ Did you restart or reload your server?
If all those are “yes,” then HSTS should be working.
How to Test If HSTS Works
You can test it using:
- https://securityheaders.com
- https://hstspreload.org
- Browser dev tools → Network tab → Check response headers
Look for the line that says:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
If it’s there, you’re golden.
Final Thoughts
Turning on HSTS is like putting a “Do Not Enter” sign on your website’s backdoor. It’s simple, safe, and smart.
Here’s a quick recap of the benefits:
- Protects visitors from sneaky attacks
- Speeds up browser connections to your site
- Helps search engines and browsers trust your site more
And hey, I like knowing that my site isn’t whispering secrets over an unencrypted line.
Got stuck? Don’t panic. Server configs can be picky. If something doesn’t work, just remove the line, restart your server, and start fresh. It’s not permanent unless you add preload.
Because tech doesn’t have to be dry as toast:
- Why did the HTTP site break up with HTTPS? It just couldn’t handle the security in the relationship.
- I told my site to redirect to HTTPS. It said, “I’m already there emotionally.”
- HSTS walked into a bar… and told everyone, “I’m strictly secure. No mixed signals.”
Want help testing your setup or confused about a step? I’ve been there too. Feel free to ask questions or share your own setup stories.
Have you tried turning on HSTS yet? Did anything surprise you?
