HTTPS encrypts your site, but HSTS ensures browsers never even try to connect over plain HTTP. It's a one-line header that closes a real attack window — and every school site running HTTPS should have it.
HTTP Strict Transport Security (HSTS) is an HTTP response header that tells browsers: "This site only works over HTTPS — never try plain HTTP, not even for a moment."
Once a browser receives this header, it will automatically upgrade any http:// request to https:// locally — before the request ever leaves the device. This closes a specific attack window that plain HTTPS does not cover.
Even with HTTPS enabled, there is a brief vulnerability during a user's first visit or when someone types yourschool.edu.ph without the https:// prefix:
http://yourschool.edu.phhttps://yourschool.edu.phAn attacker on the same network (school Wi-Fi, for example) can intercept step 1 and 2 — performing a SSL stripping attack — and silently serve the site over HTTP without the user noticing. Credentials entered on what looks like the school portal are captured in plain text.
HSTS eliminates steps 1–2 entirely. The browser never sends the initial HTTP request.
Strict-Transport-Security: max-age=31536000; includeSubDomains
| Directive | Meaning |
|-----------|---------|
| max-age=31536000 | Remember this for 1 year (in seconds) |
| includeSubDomains | Apply to all subdomains too (e.g., portal.yourschool.edu.ph) |
| preload | Submit to browser preload lists (optional, advanced) |
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
In your Cloudflare dashboard: SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) — toggle it on. Set max-age to at least 6 months.
Plugins like Really Simple SSL or Headers & Security can add HSTS without touching server config.
HSTS is a commitment. Once a browser has seen the header:
max-age periodBefore enabling HSTS:
max-age (e.g., 300 seconds) firstThe var(--gray-700)] rounded text-sm font-mono">preload directive allows you to submit your domain to the [HSTS Preload List — a list built into Chrome, Firefox, and other browsers. Preloaded domains get HSTS enforcement even on the very first visit, before the browser has ever seen your header.
This is optional and harder to reverse — only do it if you are fully committed to HTTPS for the long term.
Interactive HSTS Demo: Watch a simulated SSL-stripping downgrade attack unfold step-by-step — then see how one HSTS header stops it cold. No real network traffic is intercepted.
The Site Scanner checks whether your school's site sends an HSTS header and whether its configuration is correct.