Script Valley
HTTP & The Web: How It Actually Works
HTTPS and TLS SecurityLesson 3.4

How HSTS prevents downgrade attacks

HTTP Strict Transport Security, HSTS header, max-age, includeSubDomains, preload list, HSTS preloading, downgrade attack, SSL stripping

HSTS: Enforcing HTTPS on the Browser

HSTS vs SSL stripping attack diagram

HTTPS protects data in transit — but only after the connection is encrypted. The first HTTP redirect to HTTPS is vulnerable to SSL stripping. HSTS closes this gap.

The SSL stripping attack

A user types example.com (no https://). The browser sends an HTTP request. Without HSTS, an attacker on the network can intercept that HTTP request, fetch HTTPS from the server themselves, and serve HTTP to the user — acting as a transparent proxy. The user sees no padlock but thinks they are on the real site.

HSTS to the rescue

After visiting a site once over HTTPS, if the server sends:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The browser records this domain as HTTPS-only for max-age seconds (one year above). Future visits go directly to HTTPS — no HTTP request is ever sent, so there is nothing to intercept.

includeSubDomains extends this to all subdomains. preload opts into the browser's built-in HSTS preload list — sites are hardcoded as HTTPS-only before any visit, eliminating the first-visit vulnerability.

# Check a site's HSTS header
curl -I https://example.com | grep -i strict

Caution: Set a long max-age only when you are fully committed to HTTPS. If you ever need HTTP again, existing visitors will be locked out until the max-age expires — and preloaded entries require a formal removal process.

Up next

How to set up HTTPS with Let's Encrypt for free

Sign in to track progress