What Is HSTS and How Does It Strengthen HTTPS Security?

What is HSTS?

HTTP Strict Transport Security (HSTS) is a browser-enforced policy that requires web applications to load only over HTTPS. Once a browser receives a valid HSTS header, it refuses to connect to that domain with HTTP—even if the user manually types “http://”.

HSTS blocks downgrade attacks and man-in-the-middle (MITM) attempts by forcing all connections over HTTPS. It is especially critical for login portals, financial applications, and any platform that processes sensitive or regulated data. HTTP is significantly less secure than HTTPS, making the use of HSTS a critical step to ensure secure, encrypted connections.

What Is HSTS Used For?

HSTS works by addressing multiple browser-layer threats:

• • SSL stripping attacks that downgrade secure connections
  • Man-in-the-middle (MITM) attacks that intercept traffic before it reaches HTTPS

• Cookie hijacking that can allow attackers to gain access to cookies, impersonate victims, and gain access to sensitive data

• In strong implementations, it can also provide consistent encryption across subdomains as well

When configured properly, HSTS enforces a strict HTTPS-only policy that prevents browsers from making insecure connections. It also can reduce latency and help organizations meet regulatory or compliance requirements.

HSTS and Third-Party Supply Chain Risk

Even if your own HSTS policy is well-configured, supply chain risk persists if vendors don’t follow suit, as HSTS gaps may be overlooked in vendor-managed assets. And the risk is rising: Over 35.5% of breaches in 2024 began with third-party compromise, according to SecurityScorecard breach research.

Common exposure scenarios may include:

• Login pages hosted by vendors without HSTS 
• Redirects that pass through non-encrypted endpoints 
• Marketing sites or landing pages missing header enforcement 

SecurityScorecard continuously monitors for:

• Missing or malformed HSTS headers 
• Redirect chains that involve unencrypted steps 
• Subdomains lacking consistent HTTPS enforcement

How does HSTS Work? Best Practices for Deployment

HSTS best practices in 2025 require careful implementation and ongoing validation:

Set a Long max-age

Set HSTS to enforce for one year or 31536000 seconds. Short durations can undermine trust and increase attack windows.

Enable includeSubDomains

Apply the policy across your entire domain. This prevents attackers from targeting overlooked or unmonitored subdomains.

Submit to the HSTS Preload List

Preloading ensures browsers enforce HSTS before a user ever visits your site. Domains on the HSTS preload list benefit from baked-in browser enforcement.

Maintain Strong TLS Configuration

Since HSTS relies on HTTPS, enforce modern cipher suites, certificate chain validity, and ensure TLS configurations are up to date.

Final Thoughts

HSTS is a high-impact security control. It can help your security team close encryption gaps that attackers are constantly looking for—including with your domain, subdomains, or supply chain assets. SecurityScorecard helps teams discover bad HSTS practices or misconfigurations and assess HSTS security posture across your digital ecosystem.

Elevate Your Cybersecurity Strategy with MAX
Leverage SecurityScorecard’s MAX to gain unparalleled visibility into your nth party ecosystem. Our managed service not only identifies vulnerabilities but also provides remediation support, ensuring your supply chain remains secure and compliant.​

🔗 Explore MAX