HSTS & HTTPS Redirect: Enforce Secure Transport Consistently

HTTPS is not fully hardened unless HTTP traffic is redirected correctly and browsers are instructed to stay on HTTPS afterward.

What This Check Looks For

  • Whether http:// requests redirect to the matching https:// URL.
  • Whether the site sends a valid Strict-Transport-Security header on HTTPS responses.
  • Whether the HSTS policy is strong enough to be meaningful for production use.

Why It Matters

Redirects move users and crawlers from insecure HTTP URLs to HTTPS. HSTS then tells browsers to skip HTTP entirely on future visits for the policy duration.

Together, these reduce downgrade risk, avoid duplicate protocol variants, and make transport security more reliable.

Common Problems

HTTP does not redirect cleanly

If HTTP returns 200 OK, redirects to the wrong host, or uses inconsistent paths, users and crawlers can still hit insecure URLs.

HSTS is missing

Without Strict-Transport-Security, browsers may still attempt HTTP first on later visits or when users type a bare domain.

HSTS is too weak

Very short max-age values limit the protection. Production sites typically use a long-lived policy once HTTPS is stable.

Redirect chains

Multiple hops such as http -> www -> https -> final URL slow down navigation and create avoidable complexity. Prefer a single clean hop where possible.

Best Practices

  • Redirect every HTTP URL to its HTTPS equivalent.
  • Send Strict-Transport-Security only on HTTPS responses.
  • Use a meaningful max-age after validating your HTTPS setup.
  • Consider includeSubDomains only if every subdomain is HTTPS-ready.
  • Review redirects after CDN, proxy, or load balancer changes.

Example Config

Nginx redirect

server {
    listen 80;
    server_name example.com www.example.com;

    return 301 https://$host$request_uri;
}

Nginx HSTS on HTTPS

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

Express middleware example

app.use((req, res, next) => {
    if (req.secure) {
        res.setHeader(
            'Strict-Transport-Security',
            'max-age=31536000; includeSubDomains'
        );
    }

    next();
});

Quick Check

curl -I http://example.com

Expect a redirect to the HTTPS version.

curl -I https://example.com

Expect to see Strict-Transport-Security in the response headers.

curl -I -L http://example.com

This follows redirects so you can confirm the final destination is HTTPS.

Final Takeaway

Strong launch hygiene means HTTP is redirected away, HTTPS is canonical, and HSTS helps keep future visits on the secure protocol automatically.