HTTP Strict Transport Security (HSTS) is a powerful security header, but "HSTS Preloading" takes it to the next level. By getting your domain on the global HSTS preload list, you ensure that browsers never even attempt an insecure connection to your site-protecting your users from the very first request.
Standard HSTS protects users on their second visit. HSTS Preloading protects them from the first second.
1. What is HSTS Preloading?
While a standard HSTS header tells a browser to use HTTPS after the first visit, HSTS Preloading is a list built into the browser itself (Chrome, Firefox, Safari). If your domain is on this list, the browser will automatically use HTTPS even if the user has never visited your site before.
The Benefit
It prevents "SSL Stripping" attacks where an attacker intercepts the very first http:// request before the HSTS header can be delivered.
2. Requirements for Preloading
To be eligible for the HSTS preload list, your header must meet strict criteria:
- Valid SSL: You must have a valid certificate.
- Redirect All Traffic: Redirect from HTTP to HTTPS on the same host.
- All Subdomains: Serve HSTS for all subdomains.
- Long Max-Age: At least 1 year (
31536000seconds). - IncludeSubDomains: The directive must be present.
- Preload Directive: The
preloadflag must be present.
Example Header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
3. The Risks of Preloading
Warning: HSTS Preloading is difficult to undo. If you enable it and one of your subdomains doesn't support HTTPS, that subdomain will become completely inaccessible to users.
- Irreversible: Removal from the list can take months.
- No Fallback: You cannot serve any content over plain HTTP once preloaded.
4. How to Submit Your Domain
- Configure your server with the correct header.
- Verify your configuration using our Security Headers Tool.
- Go to hstspreload.org and enter your domain.
- Check for any errors and click "Submit".
Conclusion
HSTS Preloading is the "Gold Standard" of web transport security. It provides absolute certainty that your users are always using an encrypted connection. However, due to its restrictive nature, ensure every part of your infrastructure is HTTPS-ready before taking the plunge.