HSTS

Also known as: HTTP Strict Transport Security, Strict-Transport-Security

A rule your site sends to browsers that says 'always connect to me securely' — closing a gap attackers use to intercept that first, unprotected visit.

What it is

HSTS stands for HTTP Strict Transport Security. It’s a short instruction your website sends to a visitor’s browser the first time they connect, saying: “From now on, only ever connect to me securely — never over an unprotected connection.” The browser remembers this and enforces it automatically on every future visit.

Why it matters to your business

Even when your site has a valid certificate, there’s a sliver of risk in that very first connection — before the secure version kicks in. An attacker on the same network can exploit that moment to quietly bump a visitor onto a fake or unprotected copy of your site and capture what they type.

HSTS removes that gap. Once a browser has been told the rule, it refuses to connect insecurely at all — there’s no window for the attacker to slip through. For your customers it’s invisible; for you it’s a quiet, one-time hardening that protects every return visit.

How to tell / what to do

Our free checker tells you whether HSTS is switched on for your site. If it isn’t, the HSTS fix guide explains how to enable it safely — it’s a small setting added by whoever manages your website, and it’s free. (It’s best turned on only once your site already works fully over a secure connection, which the guide covers.)

Want to fix this on your own domain? See the free guide →