HSTS Configuration Issues | Blue Frog Docs

HSTS Configuration Issues

Understanding and fixing HTTP Strict Transport Security configuration problems

HSTS Configuration Issues

What This Means

HTTP Strict Transport Security (HSTS) is a security feature that forces browsers to only connect to a website over HTTPS, preventing protocol downgrade attacks and cookie hijacking. HSTS configuration issues can lead to:

  • Users connecting over insecure HTTP connections
  • Man-in-the-middle (MITM) attack vulnerabilities
  • SSL stripping attacks bypassing HTTPS
  • Cookies transmitted over insecure connections
  • Failed HSTS preload list submission
  • Browser warnings for misconfigured HSTS

Proper HSTS implementation is critical for protecting user data and maintaining trust.

How to Diagnose

Check HSTS Header

# Check if HSTS header is present
curl -I https://example.com | grep -i strict-transport-security

# Expected response:
# Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Browser DevTools

  • Open Network tab and check response headers
  • Look for Strict-Transport-Security header
  • Verify max-age value is sufficient (minimum 31536000 for preload)

Online Testing Tools

Common Issues

  • Missing HSTS header entirely
  • max-age value too short (less than 1 year)
  • Missing includeSubDomains directive
  • HSTS header sent over HTTP (ineffective)
  • Conflicting HTTP redirects before HSTS kicks in

General Fixes

  1. Set proper HSTS header - Include max-age, includeSubDomains, and preload

    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  2. Use sufficient max-age - Set to at least 1 year (31536000 seconds) for security

  3. Include subdomains - Add includeSubDomains to protect all subdomains

  4. Add to HSTS preload list - Submit to hstspreload.org for permanent browser protection

  5. Redirect HTTP to HTTPS - Ensure all HTTP requests redirect to HTTPS before HSTS header

    # nginx configuration
server {
  listen 80;
  server_name example.com;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name example.com;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

  6. Test before preloading - Start with shorter max-age (e.g., 300) to test, then increase

  7. Ensure valid SSL certificate - HSTS requires valid, trusted certificate across all subdomains

  8. Remove insecure content - Eliminate mixed content warnings that could break HSTS

Platform-Specific Guides

Platform Guide
nginx HSTS Configuration
Apache HSTS Setup Guide
Cloudflare Enable HSTS
AWS CloudFront Custom Headers
Next.js Security Headers

Further Reading

↑ Back to top
// SYS.FOOTER