aegis · May 9, 2026 · 6 min read

HSTS: Enforced HTTPS & Preload List — Anti SSL Stripping in 2026

HSTS forces browsers to reject HTTP connections on your domain. With the HSTS Preload List, SSL Stripping attacks on public networks become impossible.

CAI Technology · Last reviewed: 5/9/2026

HSTS: Enforced HTTPS & Preload List — Anti SSL Stripping in 2026

In Short

HSTS (HTTP Strict Transport Security, RFC 6797) is an HTTP header that instructs the browser to refuse HTTP connections to that domain for a declared period (max-age). Without HSTS, the SSL Stripping attack (Marlinspike 2009) is possible: an attacker in a MITM position (public WiFi network, compromised ISP) intercepts the user’s first HTTP request and redirects it to a non-TLS version, delivering their own content.

With HSTS Preload, the browser has baked-in code indicating the domain is HTTPS-only — making SSL Stripping attacks useless even on the first request.

The SSL Stripping Attack on Public WiFi

Crowded coffee shop. The attacker sets up a fake access point with the same SSID as the coffee shop. Customer phones connect automatically. The attacker runs a MITM proxy (sslstrip, mitmproxy) which:

Intercepts GET http://firma.ro (user’s first request)
Makes a request to https://firma.ro in the background (attacker → real server)
Rewrites all https:// links to http:// in the response
Returns the plain HTTP version to the user
The attacker sees credentials, sessions, form data in cleartext

With HSTS already known by the browser (from previous visits), the attack fails — the browser doesn’t even send HTTP, it goes directly to HTTPS.

Anatomy of the HSTS Header

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

max-age=63072000 — 2 years in seconds. The browser remembers that the domain is HTTPS-only for 2 years from the last visit.
includeSubDomains — applies to all subdomains (*.firma.ro)
preload — flag for submission to the HSTS Preload List

HSTS Preload List — The Ultimate Protection

The Preload List is a list hardcoded into Chrome, Firefox, Safari, Edge: listed domains are HTTPS-only from the very first visit ever. No SSL Stripping attack on the first request.

Submission at https://hstspreload.org/ — free, but:

Requirement: max-age ≥ 31536000 (1 year)
Requirement: includeSubDomains active
Requirement: preload directive present
Requirement: 301 redirect HTTP → HTTPS on all subdomains
Requirement: Valid TLS on all subdomains (test before!)

Warning: Reversing from the Preload List takes 6-12 months. If you decide incorrectly (e.g., one subdomain isn’t HTTPS), your site will be inaccessible on that subdomain for months.

Step-by-Step Implementation

Step 1 — Force HTTPS on EVERYTHING

301 Redirect HTTP → HTTPS at the server level (nginx, Caddy, Apache, Cloudflare). HSTS in the browser does not secure the first connection without preload.

nginx:

server {
    listen 80;
    server_name firma.ro www.firma.ro;
    return 301 https://$host$request_uri;
}

Step 2 — Add the HTTPS Header

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

nginx:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Caddy: Automatic if HTTPS is configured (default with adjustable header Strict-Transport-Security).

Step 3 — Test with Short max-age First (1 Month)

Strict-Transport-Security: max-age=2592000; includeSubDomains

(Without preload for now.) Leave it for 30 days, verify that no subdomain is accidentally on HTTP.

Step 4 — Bump max-age to 2 Years + Activate Preload

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Step 5 — Submit to Preload List

https://hstspreload.org/ → enter domain → automatic requirement check → submit. Acceptance takes 1-3 months (browser releases).

Subdomains: Justified Paranoia

includeSubDomains applies to everything. Verify that all subdomains are HTTPS:

mail.firma.ro — HTTPS webmail
api.firma.ro — HTTPS API
staging.firma.ro — even staging must be HTTPS if public
legacy.firma.ro — any forgotten subdomain will become inaccessible after preload

Complete audit beforehand: dig on all subdomains + check each has a valid TLS cert.

Common Confusions

“max-age=300 is enough for testing.” — Incorrect. HSTS Preload requires ≥31536000. Testing with a short max-age is good, but without submitting to preload you aren’t protected on the first request.

“HSTS breaks my staging.” — Only if you include staging in preload. Solution: do not submit staging.firma.ro separately; use staging.firma.local internally only.

“I have HSTS but the browser doesn’t know me.” — The browser only knows HSTS after the first successful HTTPS visit that sets the header. For protection from the first visit → Preload is required.

Check Now

ARTEMIS checks for HSTS presence + max-age value + preload eligibility in any Site scan (2 EUR).

🔗 Complementary CAI Technology Solutions

ARTEMIS — HSTS verification + 36 other technical security checks.
Auditope — Holistic web audit (SEO + AI search + Performance + WCAG).
Lexnomia — EU compliance assessment (NIS2 / PCI-DSS — HSTS is an explicit PCI-DSS 4.0 requirement).
BeLegal — Free 5-minute EU compliance check.
AriaUnited — European funds consultancy for TLS / WAF infrastructure investments.

tehnic@caitech.ro