What Is HSTS and Why It Matters for Your Omaha Business Website

If our Vulnerability Scanner flagged your site for a missing HSTS header, the fix is one line of HTTP configuration — but the security upside is significant. Here's the plain-English guide to what HSTS does, why it matters, and how to enable it without breaking your site.

The Problem HSTS Solves

You probably already have HTTPS on your site (the padlock icon). Most Omaha businesses do. But there's a sneaky gap most owners don't know about: the very first time someone visits your site.

When a customer types yourcompany.com into their browser, they don't usually type the https://. The browser's first request goes out as plain HTTP. Your server then redirects them to HTTPS. Problem solved — except for that first vulnerable moment between the request leaving the customer's laptop and your redirect coming back.

An attacker on the same Wi-Fi network (coffee shop, hotel, airport) can intercept that first plain-HTTP request and serve a fake version of your site. The customer sees what looks like your login page, types their credentials, and the attacker has them. This is called an SSL stripping or downgrade attack, and it's been a known technique since 2009.

How HSTS Closes the Gap

HTTP Strict Transport Security (HSTS) is a single HTTP response header your server sends. It tells the browser: "Never connect to this domain over plain HTTP again — for the next two years, always use HTTPS automatically."

The browser remembers this. The next time the customer types yourcompany.com, the browser doesn't even send the HTTP request — it goes straight to HTTPS, no chance for a downgrade attack.

The Recommended Header

The standard HSTS header for production sites is:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

What each piece means:

• max-age=63072000 — Remember this for 2 years (in seconds)
• includeSubDomains — Apply HSTS to app.yourcompany.com, blog.yourcompany.com, etc.
• preload — Eligible for the browser preload list, which means HSTS is enforced even on the very first visit

How to Add It (By Hosting Type)

Cloudflare

Dashboard → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → Enable. Set max-age to 6 months for testing, then bump to 2 years.

Vercel / Netlify

Add to vercel.json or netlify.toml:

{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" }] }] }

Nginx

In your server block:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Microsoft IIS / Windows Server

IIS Manager → your site → HTTP Response Headers → Add → Name: Strict-Transport-Security, Value: max-age=63072000; includeSubDomains; preload

WordPress (no plugin)

If your WordPress site is on a hosting provider like SiteGround, Kinsta, or WP Engine, ask their support to enable HSTS — they all support it via dashboard toggle.

Important Warnings

1. Test Before Going Long

Start with a 5-minute max-age (max-age=300). Make sure every subdomain works on HTTPS. THEN bump to 6 months, then 2 years. Once browsers cache HSTS, you can't undo it for the cached duration — so a misconfiguration can lock customers out.

2. Every Subdomain Needs HTTPS

If you set includeSubDomains, every subdomain — including ones you forgot about — needs a valid SSL certificate. shop.yourcompany.com, old-staging.yourcompany.com, all of them.

3. The Preload List Is One-Way

If you submit to hstspreload.org, you're committing to HTTPS forever for that domain. Don't preload until you're 100% sure.

Beyond HSTS: The Bigger Picture

HSTS is one of about a dozen HTTP security headers. The others — Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy — each defend against a different attack class. Our free vulnerability scanner grades all of them and tells you the exact fix for each.

If you'd rather have a local Omaha team handle this and the rest of your security posture, DME Computer Services includes header hardening in every cybersecurity engagement. Call 402-650-8407.

Related reading:

• How to Fix a Missing DMARC Record
• Content Security Policy in 10 Minutes