What is HSTS (HTTP Strict Transport Security)?

An HTTP response header that tells browsers to only ever contact the domain over HTTPS for a specified duration.

Full explanation

HSTS prevents protocol-downgrade attacks. Once a browser receives the header, it refuses HTTP connections to the domain for the max-age period. Submitting your domain to the HSTS preload list bakes this into the browser directly — no first HTTP request ever possible.

Example

`Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`

Guide

Security headers for Next.js — CSP, HSTS, and the full list

FAQ

Should I enable HSTS preload?

Yes, after verifying your entire domain + subdomains only serve over HTTPS. Preload is hard to reverse; plan carefully.

What is HSTS (HTTP Strict Transport Security)?

Full explanation

Example

Related

FAQ