DEV Community: Guardr

SecurityHeaders.com API Is Gone — Here's the Migration

Guardr — Fri, 24 Apr 2026 15:03:08 +0000

If you have CI/CD pipelines or scheduled audits built on api.securityheaders.com, now is the time to migrate — the API has been discontinued and no new or renewed subscriptions are being issued. Better to move before your key stops working than after.

The SecurityHeaders.com API has been discontinued — no new subscriptions, no renewals. The free web UI at securityheaders.com is still live, but if your existing key expires you have nowhere to go. This post is a practical migration guide with real before/after curl examples and a working GitHub Actions workflow.

Why developers used it in the first place

HTTP security headers — things like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options and Permissions-Policy — are one of the easiest ways to harden a website against a whole class of attacks: XSS, clickjacking, protocol downgrade, MIME sniffing and more. Browsers respect them natively, no client-side code required.

The problem is that getting them right is tedious. Each header has its own syntax, edge cases and gotchas. Miss one, misconfigure another, and your security posture quietly regresses with no visible symptoms.

SecurityHeaders.com solved this with a simple letter grade. Paste a URL, get an A–F score and a list of what's missing or misconfigured. The API took that same scan and made it programmable — so developers could:

Gate CI/CD pipelines — fail the build if headers regress before a deploy goes live
Run scheduled audits across dozens of domains and feed results into a dashboard or Slack alert
Generate compliance evidence for SOC 2, PCI or internal security reviews
Power client reports for agencies managing security across multiple sites

If any of those sound useful, read on — this guide covers how to replicate them with the Guardr API.

Quick recap: what happened

January 2023 — SecurityHeaders.com launched a paid API
June 2023 — Probely acquired SecurityHeaders.com from its creator Scott Helme
June 2025 — Snyk acquired Probely
April 2025 — Probely announced the API would be retired in April 2026, giving a full year's notice
April 2026 — API discontinued, no new or renewed subscriptions

Credit to Scott Helme and the Probely/Snyk team for the generous notice window. The web scanner at securityheaders.com is a genuine contribution to web security and it continues to exist. This is just about replacing the programmatic endpoint.

The migration in one swap

The most common use case was a single GET per domain returning a grade. Here's the before/after:

Before (SecurityHeaders.com):

curl -H "x-api-key: YOUR_OLD_KEY" \
  "https://api.securityheaders.com/?q=example.com&hide=on&followRedirects=on"

After (Guardr API):

curl -H "X-API-Key: YOUR_NEW_KEY" \
  "https://api.guardr.io/v1/scan/example.com"

Same auth header style, same GET-per-domain pattern. The hide and followRedirects params don't have equivalents — results are private to your account by default and redirects are always followed.

Want to try it without signing up? The GET endpoint works keyless at 20 req/day per IP, returning grade + score only:

curl https://api.guardr.io/v1/scan/example.com

What the response looks like

Here's a real response from a domain with issues (trimmed but every field name is exact):

{
  "domain": "example.com",
  "scanned_at": "2026-04-18T12:46:48.373Z",
  "grade": "C-",
  "score": 58,
  "categories": {
    "tls": 55,
    "headers": 0,
    "cookies": 100,
    "dns": 90,
    "exposure": 100
  },
  "issues": [
    {
      "title": "HSTS not enabled",
      "severity": "high",
      "category": "TLS",
      "description": "Strict-Transport-Security header is missing...",
      "remediation": {
        "effort": "moderate",
        "warning": "Before enabling HSTS, make sure your entire site works over HTTPS — including all subdomains if using includeSubDomains.",
        "snippets": [
          {
            "platform": "Cloudflare (_headers)",
            "code": "/*\n  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"
          },
          {
            "platform": "Nginx",
            "code": "add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;"
          }
        ]
      }
    }
  ],
  "total_issues": 8,
  "issues_truncated": false
}

A few things worth calling out for developers:

remediation.effort tags every issue as quick-fix, moderate, or requires-planning. Useful for sprint planning — you can filter for quick wins before tackling CSP rollouts.

remediation.warning surfaces the gotchas inline. HSTS warns you about subdomain rollout. CSP warns about third-party integrations breaking. These are the notes that usually live in a senior engineer's head.

remediation.snippets is an array of platform-specific config code — Cloudflare _headers format, Nginx add_header, Apache Header always set. No translating from generic advice.

Field mapping from the old API

What you want	SecurityHeaders.com	Guardr
Letter grade	`summary.grade`	`grade`
Numeric score	not available	`score` (0–100)
Timestamp	`summary.timestamp`	`scanned_at` (ISO 8601)
Header findings	`summary.headers` (traffic-light)	`issues[]` with severity + remediation
Raw response headers	`rawHeaders[]`	not returned (use HEAD request if needed)
Grade cap explanation	`summary.gradeCap`	`categories` object

The key conceptual shift: the old API was header-centric (organized around raw HTTP headers). Guardr is issue-centric (organized around "what's wrong and how to fix it"). Better for CI/CD gating; less useful if you specifically wanted a raw header dump.

GitHub Actions workflow

Here's a migrated version of the most common CI pattern — nightly scan with grade-based fail:

# .github/workflows/security-scan.yml
name: Security Header Scan

on:
  schedule:
    - cron: '0 4 * * *'
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Scan site with Guardr
        env:
          GUARDR_API_KEY: ${{ secrets.GUARDR_API_KEY }}
        run: |
          response=$(curl -sf \
            -H "X-API-Key: $GUARDR_API_KEY" \
            "https://api.guardr.io/v1/scan/example.com")

          grade=$(echo "$response" | jq -r '.grade')
          score=$(echo "$response" | jq -r '.score')
          headers_score=$(echo "$response" | jq -r '.categories.headers')

          echo "Grade: $grade | Score: $score | Headers: $headers_score"

          if [[ "$grade" == "D" || "$grade" == "E" || "$grade" == "F" \
                || "$grade" == "C" || "$grade" == "C-" ]]; then
            echo "::error::Security grade regressed to $grade"
            echo "$response" | jq '.issues[] | select(.severity == "critical" or .severity == "high")'
            exit 1
          fi

          if (( headers_score < 70 )); then
            echo "::error::Headers score dropped to $headers_score"
            exit 1
          fi

Add GUARDR_API_KEY to your repo secrets and generate the key in the Guardr dashboard under Settings → API Access.

What about forcing a fresh scan?

The GET endpoint returns a cached result (up to an hour old). For CI runs where you want a live scan, use the POST endpoint:

curl -X POST "https://api.guardr.io/v1/scan" \
  -H "X-API-Key: YOUR_NEW_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain":"example.com"}'

POST scans complete in 5–15 seconds. Note the per-domain scan quota — on Free that's once every 7 days, on Solo once every 24 hours. For large sweeps, trigger one POST per domain then use GET for all subsequent reads.

Rate limits

Plan	Burst limit	Scan window
Public (no key)	20 req/day per IP	read only
Free	5 req/min	1 scan/domain/7 days
Solo ($7/mo)	15 req/min	1 scan/domain/24 hrs
Starter	30 req/min	1 scan/domain/24 hrs
Pro	60 req/min	1 scan/domain/6 hrs
Agency	120 req/min	1 scan/domain/1 hr

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset and Retry-After on 429s. Respect Retry-After — don't hammer on rate limit errors.

What Guardr covers that the old API didn't

Beyond security headers, a Guardr scan also checks:

TLS — HSTS presence and config (hstsMaxAge, hstsIncludesSubs, hstsPreload as structured fields), HTTP→HTTPS redirect
DNS — DNSSEC and CAA records
Cookies — Secure, HttpOnly and SameSite attributes
Exposure paths — /.git/HEAD, /.env, /phpinfo.php, /wp-login.php
JS bundle secret scanning — leaked OpenAI, Stripe, AWS, Supabase keys in shipped JavaScript

What Guardr's v1 doesn't have (yet)

rawHeaders[] dump — use a HEAD request if you need raw headers
History endpoint, compare endpoint and PDF-via-API — these exist in the dashboard but aren't exposed as API endpoints yet

Other alternatives (honest take)

Mozilla Observatory — free, excellent for manual one-off checks, no public API
Qualys SSL Labs — gold standard for deep TLS analysis, doesn't cover headers
Roll your own — 30 lines of Python + cron if you only need HSTS presence

Guardr is the closest drop-in for the grade-based API + remediation use case. For deep TLS work, SSL Labs is still the right tool. For manual spot checks, Mozilla Observatory is free and great.

I'm Anatoli, building Guardr solo. The API launched this month specifically to give SecurityHeaders.com users somewhere to land. If there's an endpoint or feature from the old API that doesn't have a Guardr equivalent and it's blocking your migration, drop me a message — I want to hear about it.

Full docs and response samples: guardr.io/docs/api

Hardenize moved to $5K+/year enterprise. Here's the self-serve alternative.

Guardr — Mon, 23 Mar 2026 19:33:00 +0000

This post originally appeared on guardr.io/blog/vs-hardenize.

Hardenize was one of the best tools for tracking security posture across a portfolio of websites. After Red Sift acquired it, the self-serve tier was removed and pricing moved to $5,000+/year — aimed at enterprise security teams, not agencies or freelancers.

If you were on the self-serve tier, this post is for you.

What you're probably looking for

A replacement that covers the same monitoring surface as Hardenize:

Security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy)
TLS and SSL certificate expiry — alerts at 30 and 7 days before expiry
DNS security (DNSSEC, CAA records)
Cookie attribute checks (Secure, HttpOnly, SameSite)
Exposure path detection (.git, .env, wp-login.php, phpinfo.php)
Continuous monitoring with alerts — not manual spot checks

...without a $5K/year contract.

How Guardr fits

Guardr is a self-serve security posture monitor built for web agencies and developers managing multiple sites.

It covers everything above plus uptime monitoring, and includes platform-specific fix instructions per finding — the exact Cloudflare, Nginx, or Apache config snippet, not just a description of the problem.

Feature	Hardenize	Guardr
Security header monitoring	✅	✅
TLS / cert expiry alerts	✅	✅
DNS security checks	✅	✅
Cookie security	✅	✅
Exposure path detection	✅	✅
Uptime monitoring	❌	✅
Fix instructions per platform	❌	✅
Self-serve available	⛔ Gone	✅
Starting price	$5K+/year	$7/month

Letter grade, tracked over time

Every site gets an A–F grade based on its full security configuration — TLS, headers, DNS, cookies, and exposure paths. The grade is tracked over time so you can see when a deployment caused a regression, and alerts fire when it drops.

Free scanner — no login needed

You can scan any URL for free at guardr.io — no account required. You'll get a letter grade and full breakdown of every misconfiguration, with fix instructions included.

From there you can set up continuous monitoring with one click.

Full comparison at guardr.io/blog/vs-hardenize.

What Does a Website Security Score Mean?

Guardr — Sun, 15 Mar 2026 19:20:22 +0000

You ran a security scan on your website and got a grade. Maybe it's an A. Maybe it's a D. Either way, you're probably wondering: what does this actually mean? Is my site about to get hacked? Are my visitors at risk?

The short answer: a website security score is a snapshot of how well your site follows publicly recommended security best practices. It doesn't mean you've been breached. It means there are things any browser or any visitor can check about your site and some of them could be configured better.

Let's break it down.

What a security score measures

A website security score evaluates the publicly visible configuration of your website. This isn't about scanning your server's file system or testing for SQL injection. It's about what your site tells every single visitor's browser when they connect.

Think of it like a building inspection. An inspector doesn't break into your vault — they check whether the doors lock properly, the fire exits work and the smoke detectors are installed. A security score does the same thing for your website.

Most scanners, including Guardr — evaluate five main areas:

1. TLS / SSL configuration

TLS (Transport Layer Security) is what makes your site load over HTTPS instead of HTTP. But not all TLS setups are equal. A security scan checks whether your certificate is valid, whether outdated protocol versions like TLS 1.0 and 1.1 are disabled and whether the connection between your visitor and your server is properly encrypted.

A properly configured TLS setup also means your SSL certificate isn't about to expire without you knowing. Expired certificates trigger browser warnings that immediately drive visitors away — and most site owners don't realize it happened until someone tells them.

Why it matters: A weak or misconfigured TLS setup can leave your visitors' data exposed in transit — login credentials, form submissions, payment information. And an expired certificate can take your site's credibility offline in seconds.

2. Security headers

Security headers are instructions your server sends to the browser with every page load. They tell the browser things like: "don't load scripts from unknown sources," "don't allow this page to be embedded in an iframe," and "always use HTTPS."

The most important ones include:

Strict-Transport-Security (HSTS) — forces HTTPS connections, preventing downgrade attacks where an attacker intercepts the initial HTTP request before it redirects to HTTPS.

Content-Security-Policy (CSP) — controls which resources the browser is allowed to load, blocking malicious scripts injected through cross-site scripting (XSS) attacks.

X-Content-Type-Options — prevents the browser from guessing file types incorrectly, which attackers can exploit to execute malicious code disguised as harmless files.

X-Frame-Options — blocks clickjacking attacks by preventing your site from being embedded in iframes on malicious pages.

Referrer-Policy — controls what information is shared when visitors click links on your site, preventing sensitive URL parameters from leaking to third parties.

Permissions-Policy — restricts which browser features (camera, microphone, geolocation) your site can access, reducing the attack surface if your site is ever compromised.

Why it matters: Missing security headers are the single most common misconfiguration on the web. They're free to add, take minutes to configure and protect your visitors from entire classes of attacks. If you fix nothing else, fix your headers first.

3. Cookie security

If your site sets cookies (and almost every site does — analytics, sessions, preferences), those cookies should be configured with security flags: Secure (only sent over HTTPS), HttpOnly (not accessible to JavaScript) and SameSite (prevents cross-site request forgery).

Without these flags, cookies become low-hanging fruit for attackers. A cookie without the Secure flag can be intercepted over an unencrypted connection. A cookie without HttpOnly can be stolen by a malicious script running on your page. A cookie without SameSite can be exploited in cross-site request forgery (CSRF) attacks, where an attacker tricks your user's browser into making authenticated requests to your site.

Why it matters: Insecure cookies can be stolen or manipulated, potentially letting an attacker hijack a user's session and act as if they were that user.

4. DNS security

Your domain's DNS configuration can include additional security layers that most site owners overlook. DNSSEC (Domain Name System Security Extensions) prevents attackers from redirecting your visitors to a fake version of your site by cryptographically signing your DNS records. CAA (Certificate Authority Authorization) records specify which certificate authorities are allowed to issue certificates for your domain, preventing unauthorized certificate issuance.

These are often ignored because they're configured at the registrar level, not the server level — meaning they fall through the cracks between "the person who manages the domain" and "the person who manages the server."

Why it matters: Without DNS security, an attacker could intercept your visitors before they even reach your server — and your visitors would have no way to tell the difference.

5. Exposure and information leakage

This category checks whether your site exposes files or paths that shouldn't be publicly accessible — things like .git directories, .env files, wp-admin login panels, database backup files, or server information headers that reveal your technology stack.

Every piece of exposed information makes an attacker's job easier. A leaked .env file could contain API keys, database credentials, or third-party service tokens. An exposed .git directory could reveal your entire source code. A visible wp-admin path confirms you're running WordPress and tells attackers exactly where to focus their brute-force attempts.

Why it matters: Exposure paths give attackers a roadmap of your infrastructure. The less they know about your stack, the harder their job becomes.

How the score is calculated

Different scanners weigh these categories differently. In Guardr, the weighting reflects real-world impact:

TLS / SSL: 28% — because encryption is foundational to everything else.

Security Headers: 28% — because they're the most actionable and commonly missing.

Exposure Paths: 20% — because information leakage creates direct, exploitable risk.

Cookie Security: 14% — because session security matters for any site handling user data.

DNS Security: 10% — because it's important but less commonly exploited at the SMB level.

Each category is scored individually based on what's configured correctly versus what's missing or misconfigured. The category scores are then combined into an overall percentage that maps to a letter grade:

Score	Grade	What it means
90–100	A	Excellent — your site follows best practices across the board
80–89	B	Good — solid foundation with a few misconfigurations to address
65–79	C	Fair — noticeable gaps that should be fixed soon
50–64	D	Poor — significant misconfigurations putting visitors at risk
Below 50	F	Critical — immediate attention needed

Most websites score in the C to B range. If you're there, you're not alone — but you can do better.

What a score doesn't tell you

It's important to understand the limits of a security score:

It's not a penetration test. A score checks configuration, not whether an attacker can exploit a specific vulnerability in your application code or business logic.

It's not a guarantee. An A grade means your publicly visible configuration follows best practices. It doesn't mean your site is unhackable — there is no tool that can promise that.

It's not permanent. Configurations change when you update your server, switch hosting providers, deploy new code, or modify your tech stack. A score from last month might not reflect today's reality.

It's not a compliance certificate. While a good security score aligns with many compliance requirements (PCI DSS, GDPR technical measures), it doesn't replace a formal compliance audit.

This is exactly why continuous monitoring matters — a one-time scan tells you where you stand right now, but your security posture can drift without anyone noticing.

What to do with your score

If your score isn't where you'd like it to be, here's the good news: most misconfigurations are straightforward to fix. You don't need to hire a security consultant or overhaul your infrastructure.

Start with the highest-impact items:

Security headers — these are usually the quickest wins. Adding headers like HSTS, X-Content-Type-Options and X-Frame-Options takes minutes on most platforms.

TLS configuration — make sure you're running TLS 1.2 or higher and that your certificate is valid and not approaching expiry. If you're on Cloudflare or a modern hosting provider, most of this is handled for you but it's worth verifying.

Cookie flags — if you control your application's cookie settings, adding Secure, HttpOnly and SameSite flags is usually a small code change or server configuration update.

Exposure paths — check whether any sensitive files (.env, .git, backups) are publicly accessible and block them at the server level with deny rules.

DNS security — enable DNSSEC through your domain registrar and add CAA records to restrict certificate issuance. This is a one-time setup that takes about 10 minutes.

Each fix compounds. Address the top three items and you'll likely jump an entire letter grade.

Why continuous monitoring beats one-time scans

Running a scan once is useful. It gives you a baseline. But websites are not static — you deploy new code, update plugins, switch CDN providers, renew certificates, change server configurations. Any of these can quietly alter your security posture without triggering a single alert.

A header that was present last week might disappear after a deployment. A certificate that was fine yesterday might expire tomorrow. A new exposed path might appear when a developer pushes a config file they didn't mean to.

Continuous monitoring catches these changes before they become problems. Instead of remembering to manually check your site every few weeks (and let's be honest, you won't), you get alerted the moment something changes: a header disappears, a certificate is approaching expiry, your score drops.

That's exactly what Guardr is built for. It scans your site on a regular schedule, tracks changes over time and alerts you when something needs attention — so you can fix misconfigurations in minutes instead of discovering them weeks later.

A security score is a starting point, not a destination. It tells you where you stand, highlights what needs attention and gives you a clear path to improving. The sites that stay secure aren't the ones that scan once and forget — they're the ones that monitor continuously and fix issues as they appear.

How to Fix Missing HSTS Header (Step-by-Step)

Guardr — Wed, 11 Mar 2026 19:01:01 +0000

If you've scanned your website and received a warning about a missing HSTS header, you're not alone. From our internal checks, most of the none technical websites are misconfigured and are missing HSTS header mostly because they are lack of security awareness, this is why we want to raise such awareness. It's one of the most common security findings and one of the most impactful to fix. This guide walks you through what HSTS is, why your site needs it, and how to enable it on every major platform.

What's covered

What is HSTS and why does it matter?
How HSTS protects your users
Before you enable HSTS
How to add HSTS on Cloudflare
How to add HSTS on Nginx
How to add HSTS on Apache
How to add HSTS on other platforms
Understanding the HSTS directives
Common mistakes when enabling HSTS
HSTS preloading explained
How to verify HSTS is working

What is HSTS and why does it matter?

HSTS stands for HTTP Strict Transport Security. It's a security header that tells browsers: "Only connect to this site over HTTPS. Never use HTTP."

Without HSTS, here's what can happen. A user types yoursite.com into their browser. The browser first tries http://yoursite.com. Your server redirects to https://yoursite.com. That initial HTTP request — before the redirect — is unencrypted and vulnerable. An attacker on the same network (coffee shop Wi-Fi, hotel network, airport) can intercept that first request, steal cookies, inject malicious content, or redirect the user to a fake version of your site. This is called a protocol downgrade attack.

HSTS eliminates this window of vulnerability. Once a browser sees the HSTS header, it remembers: "This site is HTTPS-only." Every future visit goes directly to HTTPS — no HTTP request, no redirect, no attack window.

This isn't a theoretical risk. SSL stripping attacks are well-documented and tools to execute them are freely available. If your site handles any user data — logins, forms, personal information, payments — HSTS should be considered essential.

How HSTS protects your users

HSTS provides three specific protections:

No protocol downgrade. Browsers refuse to connect over HTTP, even if the user types http:// explicitly or clicks an old HTTP link. The browser automatically upgrades to HTTPS before making the request.

No mixed content fallback. If any resource on your page tries to load over HTTP, the browser blocks or upgrades it. This prevents attackers from injecting content through insecure resource loads.

Cookie protection. Without HSTS, cookies set without the Secure flag could leak over an HTTP connection. HSTS ensures the connection is always encrypted, adding a layer of protection even if cookie flags aren't perfect.

Before you enable HSTS

HSTS is powerful, but it's also a commitment. Once a browser caches your HSTS policy, it will refuse to connect over HTTP until the max-age expires. If your HTTPS setup has problems, users won't see a warning — they'll see a hard error with no way to bypass it.

Before enabling HSTS, verify these things:

Your SSL/TLS certificate is valid and not expiring soon. All pages on your site load correctly over HTTPS. All resources (images, scripts, stylesheets, fonts) are served over HTTPS — no mixed content. If using includeSubDomains, every subdomain also works over HTTPS. Your HTTP-to-HTTPS redirect is working correctly (301 permanent redirect).

If any of these aren't ready, fix them first. Start with a short max-age (like 300 seconds / 5 minutes) to test safely. Once everything works, increase to the recommended value.

How to add HSTS on Cloudflare

Cloudflare offers two approaches.

Option 1: Cloudflare Dashboard (easiest)

Go to your Cloudflare dashboard, select your site, then navigate to SSL/TLS → Edge Certificates. Scroll down to find the HSTS setting and click "Enable HSTS." Cloudflare will show you a confirmation dialog explaining the implications. Configure it with max-age of 12 months, includeSubDomains on, and preload on.

Option 2: _headers file (for Cloudflare Pages)

If you're using Cloudflare Pages, create or edit a _headers file in your project's output directory:

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The /* means this header applies to all pages. Deploy your site and the header will be served on every response.

How to add HSTS on Nginx

Add one line inside your server block for the HTTPS configuration:

server {
    listen 443 ssl http2;
    server_name example.com;

    # Add HSTS header
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # ... rest of your config
}

The always keyword is important — it ensures the header is sent even on error responses (4xx, 5xx). Without it, Nginx only adds the header on successful responses.

Make sure you only add HSTS to your HTTPS server block, not the HTTP one. The HTTP block should only contain the redirect to HTTPS:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

After editing, test and reload:

nginx -t
systemctl reload nginx

How to add HSTS on Apache

Enable the headers module if it isn't already, then add the header in your VirtualHost configuration or .htaccess file:

# Enable module (if not already)
# a2enmod headers

<VirtualHost *:443>
    ServerName example.com

    # Add HSTS header
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # ... rest of your config
</VirtualHost>

Or in .htaccess (if your host supports it):

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

Restart Apache after changes:

systemctl restart apache2

How to add HSTS on other platforms

Vercel — add to vercel.json:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Strict-Transport-Security",
          "value": "max-age=31536000; includeSubDomains; preload"
        }
      ]
    }
  ]
}

Netlify — add to _headers file or netlify.toml:

[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"

AWS CloudFront — use a Response Headers Policy in the CloudFront distribution settings. Navigate to Policies → Response headers → Create policy → Security headers → Enable Strict-Transport-Security.

WordPress — if you can't edit server config, use a security plugin like "HTTP Headers" or "Really Simple SSL" which can add HSTS through PHP. However, server-level configuration is always preferred.

Understanding the HSTS directives

The full recommended HSTS header looks like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Each part serves a specific purpose:

max-age=31536000 tells the browser how long to remember the HSTS policy, in seconds. 31536000 seconds equals one year. During this time, the browser will never attempt an HTTP connection. The timer resets on every visit, so regular visitors stay protected indefinitely. For initial testing, use max-age=300 (5 minutes). Once confirmed working, increase to a full year.

includeSubDomains extends the policy to every subdomain under your domain. If you set HSTS on example.com with includeSubDomains, then api.example.com, blog.example.com, and staging.example.com are all forced to HTTPS as well. Only add this if every subdomain supports HTTPS. One subdomain without a valid certificate will become completely inaccessible.

preload signals that you want your domain added to browser HSTS preload lists. These are lists compiled into Chrome, Firefox, Safari, and Edge that force HTTPS from the very first visit — not just after the browser first sees your header. To actually get preloaded, you need to submit your domain at hstspreload.org after adding the header.

Common mistakes when enabling HSTS

Setting max-age too high on the first try. If you discover a problem after setting a one-year max-age, visitors' browsers will refuse HTTP connections for up to a year. Start with 5 minutes, then 1 day, then 1 week, then 1 year.

Adding includeSubDomains when subdomains aren't ready. If staging.example.com runs on HTTP or has an expired certificate, it becomes unreachable. Audit all subdomains first.

Only adding HSTS to some pages. HSTS should be on every response from your domain. Use the wildcard path (/* in Cloudflare/Netlify) or add it at the server level in Nginx/Apache.

Adding HSTS to HTTP responses. The header should only be served over HTTPS. Browsers ignore HSTS headers received over HTTP (for good reason — an attacker could inject a fake one). Your HTTP server block should only redirect to HTTPS.

Forgetting about cookies. HSTS protects the transport layer, but you should also set the Secure flag on all cookies to ensure they're never sent over HTTP. HSTS and Secure cookies work together.

HSTS preloading explained

The HSTS preload list is a registry of domains that browsers treat as HTTPS-only from the very first connection. Without preloading, a user's first visit is still vulnerable because the browser hasn't seen your HSTS header yet. Preloading eliminates this gap.

To qualify for preloading, your site must serve a valid HSTS header with max-age of at least one year (31536000), include the includeSubDomains directive, include the preload directive, and redirect all HTTP traffic to HTTPS.

Submit your domain at hstspreload.org after meeting these requirements. The submission is reviewed and, once accepted, your domain is hardcoded into browser source code. This process takes weeks to months — browsers need to ship updates that include the new list.

A warning: removing your domain from the preload list is difficult and slow. Only preload domains you're certain will stay on HTTPS permanently.

How to verify HSTS is working

After deploying, verify with any of these methods:

Using curl:

curl -I https://yoursite.com

Look for Strict-Transport-Security in the response headers. You should see your full policy with max-age, includeSubDomains, and preload.

Using browser DevTools:

Open your site in Chrome or Firefox, press F12, go to the Network tab, click the first request (your domain), and check the Response Headers section.

Using Guardr:

Scan your site for free — Guardr checks your HSTS configuration and tells you exactly what's missing or misconfigured. If your HSTS is working correctly, the TLS/SSL score reflects it. If something is off — missing includeSubDomains, short max-age, or HSTS not present at all — you'll see a specific finding with the exact fix.

HSTS is one of the highest-impact security improvements you can make. It takes one line of configuration, costs nothing, and protects every user on every visit. If your site is served over HTTPS (and it should be), there's no reason not to enable it.

Start with a short max-age, verify everything works, then commit to a full year. Your users and your security score will thank you.