Home / Tools / Enable HSTS to prevent protocol downgrade attacks
Domain & DNS Health · Scan Check Guide

Enable HSTS to prevent protocol downgrade attacks

15 min Impact: high Effort: medium ✓ Scan-verified — no manual checkbox

HSTS (Strict-Transport-Security) tells browsers that already know your site to NEVER attempt a plain-HTTP connection again, even if a user types http:// or clicks an old http:// link — closing the specific window where a network attacker could intercept that very first request before a redirect to HTTPS happens.

HSTS forces browsers to only ever connect to your site over HTTPS, closing a window attackers use to downgrade connections. It is a modern security baseline Google's Best Practices audit checks.

How to fix it

  1. 1
    Add the HSTS header
    Strict-Transport-Security: max-age=31536000; includeSubDomains — set via your server config or Cloudflare.
  2. 2
    Start with a shorter max-age if uncertain
    You can start with a shorter duration (like 300 seconds) to test safely, then increase to the full year once confirmed working correctly.
  3. 3
    Confirm all subdomains are HTTPS-ready before including them
    includeSubDomains applies the policy to every subdomain — make sure none of them are HTTP-only before adding this.

Common mistakes

How you'll know it's done

The Strict-Transport-Security header is present with a meaningful max-age, ideally including subdomains.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →