HTTP Strict Transport Security (HSTS)
HSTS is a security header that instructs browsers to only connect to your site via HTTPS, preventing protocol downgrade attacks and cookie hijacking over insecure connections.
Understanding HTTP Strict Transport Security (HSTS)
When a server sends the Strict-Transport-Security header, the browser remembers that this domain should only be accessed over HTTPS for the specified duration (max-age). Any subsequent HTTP requests are automatically upgraded to HTTPS by the browser before they are sent, eliminating the window where an attacker could intercept an unencrypted request.
Without HSTS, the first request to a site might be over HTTP (e.g., when a user types example.com without https://). During this brief HTTP connection, a man-in-the-middle attacker can perform SSL stripping — intercepting the connection and proxying between an HTTP connection to the user and an HTTPS connection to the server. The user sees no HTTPS indicators, and the attacker sees all traffic in plaintext.
The header supports three key parameters. max-age sets how long (in seconds) the browser should enforce HTTPS — 31536000 (one year) is standard. includeSubDomains extends the policy to all subdomains, preventing attacks on subdomains that might share cookies. preload opts into the HSTS preload list maintained by browsers, which hardcodes your domain as HTTPS-only, eliminating even the first-visit vulnerability.
Before enabling HSTS with a long max-age, ensure all your resources work correctly over HTTPS. An incorrect HSTS configuration can make your site inaccessible if HTTPS is broken, and the only fix is waiting for the max-age to expire or users manually clearing their browser's HSTS cache.
Why This Matters for Vibe-Coded Apps
Most hosting platforms used by vibe coders (Vercel, Netlify, Render, Cloudflare Pages) handle HTTPS certificates automatically, but not all set HSTS headers by default. Without HSTS, your users are vulnerable to downgrade attacks during their first visit or when they type your domain without the https:// prefix.
Adding HSTS is one of the safest security improvements for any vibe-coded app — it has no functional side effects as long as your site works over HTTPS. AI-generated deployment configurations rarely include HSTS, so it should be part of your post-deployment security checklist. The Strict-Transport-Security header can typically be added through your hosting platform's header configuration or in your Next.js/Express response headers.
Real-World Examples
Firesheep and WiFi Session Hijacking (2010)
The Firesheep browser extension demonstrated how trivially unencrypted HTTP sessions could be hijacked on public WiFi. HSTS would have prevented this attack entirely by ensuring browsers never sent session cookies over HTTP, but most sites had not yet adopted the header.
SSL Stripping at DEF CON
Security researcher Moxie Marlinspike demonstrated SSL stripping attacks at DEF CON, showing how a man-in-the-middle proxy could transparently downgrade HTTPS to HTTP. This attack was one of the primary motivations for the creation of the HSTS standard.
Government .gov HSTS Preloading
The US government mandated HSTS preloading for all .gov domains, automatically enforcing HTTPS for every government website. This eliminated the first-visit vulnerability and served as a model for other TLD operators to enforce HTTPS at the domain level.
Frequently Asked Questions
Is HSTS safe to enable?
HSTS is safe as long as your site works correctly over HTTPS. Once enabled, browsers will refuse to connect over HTTP for the duration of max-age. If your HTTPS breaks (expired certificate, misconfigured server), users will see an error they cannot bypass. Start with a short max-age (300 seconds) to test, then increase to a year (31536000) once you are confident. Do not enable preload until you are certain HTTPS will always work for your domain and all subdomains.
What is the HSTS preload list?
The HSTS preload list is maintained by the Chromium project and shared by all major browsers. Domains on this list are hardcoded as HTTPS-only, meaning the browser enforces HTTPS from the very first visit, eliminating the first-request vulnerability. To be eligible, your site must serve a valid HSTS header with max-age of at least one year, include the includeSubDomains and preload directives, and redirect all HTTP traffic to HTTPS.
Can HSTS be removed once set?
You can signal removal by setting max-age=0, but browsers only update this value when they next visit your site over HTTPS. Users who do not return will have HSTS cached for the original duration. For preloaded domains, removal requires submitting a request to the preload list maintainers and waiting for browser updates to propagate, which can take months. This is why starting with short max-age values is recommended.
Does HSTS protect against all MITM attacks?
HSTS protects against SSL stripping and protocol downgrade attacks specifically. It does not protect against MITM attacks where the attacker has a trusted certificate (e.g., corporate proxies with installed root certificates) or attacks against the TLS protocol itself. For additional protection, consider certificate pinning and Certificate Transparency monitoring.
Is Your App Protected?
VAS automatically scans for vulnerabilities related to http strict transport security (hsts) and provides detailed remediation guidance. Our scanner targets issues common in AI-generated applications.
Scans from $5, results in minutes. Get actionable fixes tailored to your stack.
Get Starter Scan