HTTP Strict Transport Security (HSTS) is a security rule, delivered as a small header, that instructs browsers to only ever talk to your website over an encrypted connection and never over plain, unsecured HTTP. Once a browser has seen the rule, it remembers it and silently upgrades every future visit to the secure version, even if someone types the address without https.

Picture a doorman who, after your first visit, writes down ‘this guest only uses the armoured back entrance’. From then on, no matter which door you approach, you are quietly directed to the secure one. HSTS gives the browser that same standing instruction for your domain, removing the risky moment where an insecure connection is even attempted.

It works on top of HTTPS and a valid SSL certificate; HSTS does not replace them, it makes sure they are always used. As one of the more impactful website security headers, it blocks a class of attacks that try to downgrade visitors to an unencrypted connection. The trade-off is discipline: with HSTS on, you must keep certificates valid, because the browser will refuse rather than fall back.

A few details are worth knowing before you switch it on. The header has a max-age, often a year, which is how long the browser enforces the rule, so it pays to start with a short value while you confirm everything works. Adding includeSubDomains extends it to every subdomain, which catches people out if an internal tool still runs on plain HTTP. And the preload list, baked into browsers like Chrome and Firefox, is effectively permanent, so a domain is hard to remove once added. Treat that step as a one-way door.

At TopDevs we enable HSTS once a client’s HTTPS setup is solid, so every visitor is locked onto the secure connection from their very first click.