/ˌeɪtʃ-tiː-ɛs-tiː-ɛs/
n. “Never talk unencrypted, even if asked nicely.”
HSTS, short for HTTP Strict Transport Security, is a web security policy mechanism that tells browsers to always use HTTPS when communicating with a specific site. Once a browser sees the HSTS header from a site, it refuses to make any unencrypted HTTP requests for that domain, effectively preventing downgrade attacks and certain types of man-in-the-middle attacks.
Introduced in 2012, HSTS is a response to the persistent problem of users accidentally navigating to HTTP versions of sites or attackers attempting to intercept HTTP traffic and redirect users to malicious endpoints. By enforcing HTTPS strictly, HSTS removes that human and technical error vector.
The policy is communicated via a special response header: Strict-Transport-Security. A typical header might look like this: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. This tells the browser to enforce HTTPS for one year, apply it to all subdomains, and optionally include the domain in browser preload lists.
For practical purposes, HSTS ensures that once a user visits a site securely, every subsequent visit—even if they type "http://" or click an outdated link—will automatically upgrade to HTTPS. This eliminates the chance of insecure communication slipping in and protects sensitive data like passwords, session cookies, and personal information.
Sites like online banking, e-commerce platforms, and cloud services often implement HSTS in combination with TLS to maximize security. It works hand-in-hand with HTTPS, certificate validation, and other transport-layer security mechanisms.
A subtle but important feature is HSTS preload. Maintained by browsers, this list allows domains to be hardcoded as HTTPS-only, preventing the first connection from ever occurring over HTTP. Domains must meet specific criteria—valid certificates, redirect from HTTP to HTTPS, and correct header configuration—to be added to this list safely.
Misconfiguration can backfire. If a domain deploys HSTS but later mismanages its certificates, users can be locked out because browsers refuse HTTP fallbacks. Planning, monitoring, and automation are crucial.
In short, HSTS enforces a strict policy: encrypted communication only, no exceptions, no shortcuts. It strengthens HTTPS adoption and ensures that even naive users remain protected against some of the most common web-layer attacks. Once deployed properly, it is a silent but formidable guardian of modern web security.