HTTP Strict Transport Security, or HSTS, is a web server rule that tells browsers to only connect using HTTPS. It removes the option for a browser to fall back to an unencrypted HTTP connection.
When a browser first visits a site, the server sends an HSTS header stating how long the browser should remember to use HTTPS only. The browser stores this rule and automatically converts any future HTTP request to that domain into HTTPS before sending it. This happens before any network request goes out, so an attacker cannot intercept the first unencrypted request. Many sites also submit their domain to an HSTS preload list built into browsers, so protection starts on the very first visit.
Match the strength of this control to what is actually at risk in the workflow.
USER-country-de-session-task01The credential string is the only configuration needed -- "country-de" sets the exit, "session-task01" keeps it consistent, and hsts is handled by the gateway rather than your application code.
Test the setup with a leak-test tool or packet capture to confirm this protection is actually working, not just configured.
Pair this with sane session handling and header hygiene -- no single control covers a full workflow on its own.
Apply the strongest version of this control to logins, payments, and personal data -- it is overkill for public information.
Do not let two workflows that need to stay separate for privacy or account reasons share the same session or IP.
A browser that has cached an HSTS rule for a shopping site will automatically rewrite http links to https links before loading the page.
HSTS closes a common gap that attackers use in SSL stripping attacks. Sites that handle logins or payments should always enable it to protect users on public networks.
It is very difficult once a browser has cached the rule or the domain is on the preload list, but the very first unprotected visit before caching can still be at risk. Preloading removes even that gap.
Yes. HTTPS alone does not stop a browser from trying HTTP first, which HSTS prevents by forcing encrypted connections automatically.
Ready to put this into practice? Security Documentation
Start a free trial and test with real targets -- no credit card, no sales call.