Technical SEO · Glossary · Updated Apr 2026

HSTS(HSTS)

Definition

HSTS (HTTP Strict Transport Security) is a response header that tells browsers to load a domain only over HTTPS for a declared duration. Defined in RFC 6797. It eliminates the HTTP-to-HTTPS redirect on repeat visits and blocks downgrade attacks. Sites can submit to the HSTS preload list for first-visit protection.

Find related

Long definition

HSTS is sent as a single response header on HTTPS pages:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Once a browser sees this header on an HTTPS connection, it caches the policy for the max-age duration (in seconds — 31,536,000 is one year). For that window, the browser refuses to load the domain over plain HTTP and won't let users bypass certificate errors. The HTTP request never leaves the browser; the upgrade happens locally.

The three directives:

  • max-age=N — required. Duration in seconds. Browsers ignore the header on plain HTTP. To remove HSTS, set max-age=0 and serve over HTTPS.
  • includeSubDomains — optional but recommended. Extends the policy to every subdomain. Be careful: if any subdomain doesn't yet support HTTPS, this breaks it.
  • preload — opt-in to inclusion in the HSTS preload list, a hardcoded list shipped with Chrome, Firefox, Safari, and Edge. Preloaded domains are HTTPS-only from the very first visit, before any HSTS header is seen. Submission requires max-age ≥ 1 year, includeSubDomains, and a valid HTTPS setup across all subdomains.

The SEO relevance is small but real. HTTPS is a confirmed (minor) ranking signal since 2014. HSTS removes the 301 redirect from http:// to https:// on repeat visits, shaving one round trip from the connection — measurable on TTFB. It also prevents the rare but real risk of a man-in-the-middle stripping HTTPS during the initial redirect.

The deployment risk: HSTS is sticky. A user who sees max-age=31536000 is locked in for a year regardless of what you change next. Test with a short max-age (300-3600 seconds) for a week, then ramp to one year, then add includeSubDomains, then submit to preload. Reversing preload takes weeks to months.

Common misconceptions

  • "HSTS is required for HTTPS." It's not. HTTPS works without HSTS. HSTS is a hardening layer that prevents downgrade attacks and removes the initial redirect — useful, but optional.
  • "Setting HSTS is a major ranking boost." It isn't. The HTTPS ranking signal is already counted once you have a working certificate. HSTS adds security and a minor speed gain on repeat visits, not a ranking jump.
  • "I can disable HSTS by removing the header." You can't, retroactively. Browsers honor the cached policy until it expires. Setting max-age=0 is the correct rollback, and it has to be served over HTTPS to take effect.
  • "includeSubDomains is always safe." It applies to every subdomain immediately, including ones you don't operate over HTTPS. Audit *.yourdomain.com before enabling it.

Continue exploring

More in
Technical SEO
All terms
SEO Glossary · 220 entries