HTTP Strict Transport Security (HSTS) is a security mechanism that tells browsers to only connect to your website over HTTPS. Once a browser receives the HSTS header, it will automatically convert all HTTP requests to HTTPS for the specified duration — even if the user types http:// in the address bar.
Why HSTS Matters
Without HSTS, your site is vulnerable to:
- SSL stripping attacks — An attacker on the same network can intercept the initial HTTP request before the redirect to HTTPS happens and serve a plain HTTP version of your site.
- Cookie hijacking — Session cookies sent over an unencrypted connection can be captured.
- Downgrade attacks — Forcing the browser to use an older, less secure protocol.
How It Works
When your server sends the response header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadThe browser remembers this for max-age seconds (31536000 = 1 year) and will never attempt an insecure connection again during that period.
Key Directives
max-age— How long (in seconds) the browser should remember to only use HTTPS.includeSubDomains— Apply the rule to all subdomains as well.preload— Allows your domain to be included in browser preload lists, meaning HTTPS is enforced even on the very first visit.
What InspectWP Checks
InspectWP analyzes whether your WordPress site sends the Strict-Transport-Security response header. If missing, the report flags it as a security concern. A proper HSTS header with a long max-age value and the includeSubDomains directive is recommended.