Understanding HSTS and How It Works with Your SSL Certificate
HSTS tells browsers to always use HTTPS for your domain. Learn how it works, how to enable it, and what happens when an HSTS certificate expires.
HTTP Strict Transport Security (HSTS) is an HTTP response header that instructs browsers to always connect to your site over HTTPS — even if the user types http:// or clicks an HTTP link. Combined with a valid SSL certificate, it eliminates an entire class of downgrade attacks.
The Attack HSTS Prevents
Without HSTS, an attacker on the same network can intercept an initial HTTP request (before the redirect to HTTPS) and strip the SSL — serving a plain HTTP version of your site. This is the SSL stripping attack. HSTS prevents it by making the browser refuse to even initiate an HTTP connection to a previously-visited HTTPS site.
The HSTS Header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- max-age — how long browsers remember the HSTS policy (seconds). 1 year is common.
- includeSubDomains — extends the policy to all subdomains. Requires valid certificates on every subdomain.
- preload — opts into the browser preload list (HTTPS is enforced even on first visit).
HSTS and Certificate Expiry
HSTS has a critical interaction with certificate management: if your certificate expires and you haven't renewed it, HSTS-enabled browsers won't let users bypass the error. Unlike a normal certificate error where users can click "Proceed anyway," an HSTS error has no override. See certificate expired errors for what this looks like.
This is why certificate monitoring is especially important for HSTS-enabled sites. A lapsed certificate on an HSTS site is a complete service outage for returning visitors.
HSTS Errors
If you're seeing HSTS errors, it's usually because:
- You're testing with a self-signed certificate on a domain that previously had HSTS
- You moved a subdomain from HTTPS to HTTP while includeSubDomains was set
- The certificate chain is broken — even with HSTS, the certificate must be fully valid
Decode any SSL certificate instantly
Paste any PEM certificate into the free decoder — see subject, issuer, SANs, fingerprints, validity dates, and all X.509 extensions explained in plain English.
Open the Decoder