Implement HSTS Preload to Speed up Your Site and Increase Security

HSTS (HTTP Strict Transport Security) is way for the web server to tell web browsers that the connection should always be done in secure HTTPS protocol. It defends against protocol downgrade attack and increase site speed. HSTS preload addresses the TOFU problem (Trust On First Use problem).

How HSTS Works

Suppose a user types in the following address without specifing HTTP or HTTPS

By default, the web browser will send the request in plain HTTP protocol, which is insecure. The web server receives this HTTP request and responds with 301 to redirect the request to HTTPS. Next, the web browser send a HTTPS request.

The web server receives this HTTPS request and send the web page along with a HSTS header. The HSTS header tells the web browser from here on out it must always connect to this domain over HTTPS. The HSTS header looks like this:

Strict-Transport-Security: max-age=31536000

Benefits of HSTS

Once the web browser knows it must always connect to that domain over HTTPS, a hacker sitting in the middle can’t downgrade HTTPS to HTTP, as the web browser will stop the HTTP connection.

HSTS also disables the user’s ability to add security exceptions when the web browser display a certificate error warning, preventing the user to¬†erroneously trust a wrong TLS certificate (self-signed or rogue certificate).

In terms of site speed, HSTS help the website to eliminate one round trip time. As the web browser will internally redirect HTTP to HTTPS before the request is sent out to the Internet.

HSTS Preload

HSTS is not perfect because the first time a user visits the website, the connection can still be in plain HTTP if the user doesn’t specify HTTPS as the protocol scheme. And a hacker sitting in the middle can hijack this very first HTTP connection and prevent web browser from getting the HSTS header. This is known as the TOFU (Trust On First Use) problem.

The hacker can also effect a downgrad attack when:

  • The user clears web browser cache.
  • The HSTS header expires (subject to NTP time attack).

To mitigate this threat, webmasters can choose to preload HSTS header into web browsers. Once the HSTS header is preloaded, web browsers will internally redirect HTTP to HTTPS for your domain no matter what.

HSTS preloading saves one round trip time on user’s first visit and help the site foster a good first impression.

How to Enable HSTS header and Preload it into Web Browsers

To enable HSTS header in Apache web server, edit your virtual host configuration file and add the following directive.

Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"

Save and close the file. Then reload Apache for the change to take effect.

sudo systemctl reload apache2

To enable HSTS header in Nginx web server, edit your Nginx server block and add the following directive.

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Save and close the file. Then reload Nginx for the change to take effect.

sudo systemctl reload nginx

Then go to and check your HSTS preload status and eligibility. Once you are eligible, submit your site to the HSTS preload list. This list is run by Google and used by Google Chrome, Firefox and Safari.

hsts preload

You should also use 301 permanent redirect to force HTTPS connection on all of your web pages and set as the preferred domain in Google Search Console.

Checking Preload Status

3 months later, I check the status and my domain is added to the preload list.

check hsts preload status

You can also go to ssl labs test to check which browsers are preloading your domain name. As you can see, my domain name is preloaded into Chrome, Edge, Firefox and IE.

hsts preloading web browsers support

How to Check if HSTS Preloading is Working

Let’s use Google Chrome as an example. Clear chrome’s browser cache. Then press Ctrl+Alt+I to open up Developer Tools and click Network tab. Next, enter the domain name in address bar. You can see a list of resources fetched from the server. Because my domain is preloaded into Google Chrome, it will internally redirect http to https (status 307), which took 3ms.

hsts preload 307 internal redirect

In contrast, a 301 permanent redirect took 556ms.

301 redirect vs 307 internal redirect

Now we clearly see the speed benefits of HSTS preloading.

The Danger of HSTS Preload

To add your domain to the preload list, you have to specify the “includeSubdomains” option, which means all sub-domains will also be forced to use HTTPS. If you have a sub-domain that you don’t want to enforce HTTPS but your domain is preload, then web browsers would first internally redirect from HTTP to HTTPS, but find that there’s no valid certificate for the sub-domain, so they would stop the connection, and you can’t add security exception because of HSTS, even if you create a self-signed certificate.


Firefox Security Alert

google chrome hsts secuiryt alert

Google Chrome Security Alert

Rate this tutorial
[Total: 1 Average: 5]

Leave a Reply

Your email address will not be published. Required fields are marked *