Hsts Headers Generator

Generate secure HTTP Strict Transport Security headers with best practice configurations for your domain

HSTS Header Configuration

Detail Level

Format

Try:

Preview

Your generated content will appear here

How to Get Started

Simple steps to create amazing results

Configure Your HSTS Policy

Select your preferred max-age duration, decide whether to include subdomains, and choose if you want to enable preloading for maximum security.

Generate Your Header

Click the generate button to create your custom HSTS header with all the directives you've configured, formatted and ready to use.

Implement on Your Server

Copy the generated header and add it to your web server configuration. Test your implementation to ensure HSTS is working correctly.

Main Features

Powerful capabilities at your fingertips

Instant Header Generation

Create properly formatted HSTS headers in seconds with our intuitive interface. No manual coding required.

RFC 6797 Compliant

All generated headers follow the official HSTS specification, ensuring compatibility with all modern browsers and maximum security.

Flexible Configuration

Customize max-age values, includeSubDomains directive, and preload settings to match your specific security requirements.

Best Practice Recommendations

Get expert suggestions for optimal HSTS configuration based on industry standards and security best practices.

Multiple Export Formats

Download headers for Apache, Nginx, IIS, and other popular web servers with server-specific syntax.

Detailed Documentation

Access comprehensive guides explaining each directive and how to properly implement HSTS on your website.

Frequently Asked Questions

Everything you need to know

What is HSTS?

HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks by enforcing the use of HTTPS.

What is the significance of the max-age directive in HSTS?

The max-age directive specifies the duration (in seconds) that the browser should remember that a site is only accessible using HTTPS. It is a crucial part of the HSTS policy.

Should I include the includeSubDomains directive?

The includeSubDomains directive applies the HSTS policy to all subdomains of your domain. Only include it if all your subdomains support HTTPS, otherwise some subdomains may become inaccessible.

What is HSTS preloading?

HSTS preloading adds your domain to a hardcoded list in browsers, ensuring HTTPS is enforced even on the first visit. To use preload, you must submit your domain to the HSTS preload list and include the preload directive.

What is a recommended max-age value?

For production sites, a max-age of 31536000 seconds (1 year) is recommended. Start with a lower value like 300 seconds (5 minutes) for testing, then gradually increase it once you're confident your configuration works correctly.

Can I remove HSTS after implementing it?

Yes, but it requires setting max-age to 0 and waiting for the previous max-age period to expire in users' browsers. This is why it's important to test thoroughly before deploying with a long max-age value.

Ready to Secure Your Website?

Generate your HSTS headers now and protect your users with enforced HTTPS security. Free, instant, and RFC compliant.