./ahmedhashim

HSTS Preload

When you type a website address into your browser’s URL bar, one of the first decisions it makes is whether to connect via http:// or https://.

HTTP sends the data in plaintext, while HTTPS wraps the connection in TLS which encrypts the traffic to protect it from tampering. It also allows the server to cryptographically authenticate the connection.

Most web servers solve this by accepting http:// traffic on port 80 and immediately redirecting it to https:// on port 443. That works, but it still leaves a small gap on the first request.

The first hop

When loading the HTTP url directly, the redirect flow looks like this:

  sequenceDiagram
    participant B as Browser
    participant S as Server

    B->>S: GET http://example.com
    S-->>B: 307 Redirect to https://example.com
    B->>S: GET https://example.com
    S-->>B: 200 OK

What that looks like in the Chrome devtools network panel:

http to https redirect in chrome devtools

That redirect is usually fast, but if the first request goes over HTTP, anyone on the path can see it. On a hostile network, they may also be able to tamper with the redirect and keep the browser on plaintext HTTP.

This is why modern sites generally treat HTTPS as the default. Traffic stays encrypted in transit, and Secure cookies stay on HTTPS requests. Browsers also increasingly expect a secure context for modern features and protocols.

When you consider HTTPS to be your baseline, the next step is making the browser remember that your site should never be loaded over HTTP again.

HSTS

HTTP Strict Transport Security, or HSTS, is a response header that tells the browser to always use HTTPS for future requests.

Once the browser sees the header over a valid HTTPS response, it stores the policy for its given max-age value.

After that, the request flow looks more like this:

  sequenceDiagram
    participant B as Browser
    participant S as Server

    Note over B: HSTS policy already cached
    B->>S: GET https://example.com
    S-->>B: 200 OK

From that point on, the browser skips the insecure first hop.

That means HTTP links to your site are upgraded before the request is sent, and users stay on one canonical transport path. This makes downgrade attacks much harder after the first secure visit.

However, this only works after the browser has already seen your header once.

Preload

That first-visit gap is what HSTS preload is for.

Browser vendors ship built-in HSTS preload lists. If your domain is on that list, the browser doesn’t need to learn your HSTS policy dynamically first.

In practice, http://example.com is upgraded to https://example.com before the request leaves the browser. The first visit gets the same HTTPS-only behavior as every later visit. Subdomains are covered too when you preload with includeSubDomains.

Many browsers already try to upgrade HTTP navigations to HTTPS by default (Chrome calls this HTTPS-First Mode), so preload is less dramatic than it once was. However, HSTS itself is still a very good idea. Preload is the stronger commitment when you know your entire domain and all subdomains are HTTPS-only for the long haul.

Requirements

Enabling HSTS preload takes two steps. First, your web server needs to send this exact header on every HTTPS response from your site:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Once that’s in place, submit your domain at hstspreload.org.

To successfully add it, your site must:

  1. serve a valid TLS certificate
  2. redirect HTTP to HTTPS on the same host, if port 80 is open
  3. serve all subdomains over HTTPS
  4. commit to sending the HSTS header for at least one year

The submission requirements are strict because preload is slow to undo. A few are easy to overlook: if www has a DNS record, it must support HTTPS (internal subdomains count too), and if an HTTPS endpoint redirects somewhere else, that redirect response still needs the HSTS header.

A safer rollout is to ramp up max-age gradually. Confirm that all subdomains behave correctly over HTTPS, then move to the one-year preload value.

Removing a domain from the preload list is possible, but it takes time for the change to reach browser releases. Make sure your entire domain can stay on HTTPS for the long term before you submit.