HTTPS Enforcement (HSTS)

HTTPS enforcement ensures that all client-server communication uses encrypted HTTPS rather than unencrypted HTTP. Without enforcement, users who type a domain name without specifying a protocol, follow HTTP links, or are targeted by network-level attackers may have their connections intercepted before the redirect to HTTPS occurs. HTTP Strict Transport Security (HSTS) addresses this by instructing browsers to always use HTTPS for a domain.

HSTS works through the Strict-Transport-Security response header, which tells browsers to automatically convert any HTTP requests to HTTPS for the specified domain for a given duration (max-age). The includeSubDomains directive extends this protection to all subdomains, and the preload directive allows the domain to be included in browser-shipped HSTS preload lists, providing protection even on the first visit. Once a browser receives an HSTS header, it will refuse to connect over HTTP until the max-age expires.

Beyond HSTS, comprehensive HTTPS enforcement includes server-side HTTP-to-HTTPS redirects (301 Permanent Redirect), configuring load balancers and CDNs to redirect HTTP traffic, ensuring all internal links and resource references use HTTPS, setting the Secure flag on all cookies, and monitoring for mixed content warnings. Submission to the HSTS preload list (hstspreload.org) provides the strongest protection against first-visit attacks but requires careful preparation since removal is difficult.