explainer

HSTS Explained: Locking Your School Site to HTTPS

HTTPS encrypts your site, but HSTS ensures browsers never even try to connect over plain HTTP. It's a one-line header that closes a real attack window — and every school site running HTTPS should have it.

4 min readHSTS, HTTPS, security headers

What Is HSTS?

HTTP Strict Transport Security (HSTS) is an HTTP response header that tells browsers: *"This site only works over HTTPS — never try plain HTTP, not even for a moment."*

Once a browser receives this header, it will automatically upgrade any http:// request to https:// locally — before the request ever leaves the device. This closes a specific attack window that plain HTTPS does not cover.

The Attack HSTS Prevents

Even with HTTPS enabled, there is a brief vulnerability during a user's first visit or when someone types yourschool.edu.ph without the https:// prefix:

1Browser sends an HTTP request to http://yourschool.edu.ph
2Server responds: "Redirect to HTTPS"
3Browser follows redirect to https://yourschool.edu.ph

An attacker on the same network (school Wi-Fi, for example) can intercept step 1 and 2 — performing a SSL stripping attack — and silently serve the site over HTTP without the user noticing. Credentials entered on what looks like the school portal are captured in plain text.

HSTS eliminates steps 1–2 entirely. The browser never sends the initial HTTP request.

What the Header Looks Like

```

Strict-Transport-Security: max-age=31536000; includeSubDomains

```

| Directive | Meaning |

|-----------|---------|

| max-age=31536000 | Remember this for 1 year (in seconds) |

| includeSubDomains | Apply to all subdomains too (e.g., portal.yourschool.edu.ph) |

| preload | Submit to browser preload lists (optional, advanced) |

How to Add HSTS

Apache (.htaccess or virtual host config)

```apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

```

Nginx

```nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

```

Cloudflare

In your Cloudflare dashboard: SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) — toggle it on. Set max-age to at least 6 months.

WordPress (via plugin)

Plugins like Really Simple SSL or Headers & Security can add HSTS without touching server config.

Important: Only Enable HSTS When HTTPS Is Working Correctly

HSTS is a commitment. Once a browser has seen the header:

It will refuse to load your site over HTTP for the entire max-age period
If your certificate expires or HTTPS breaks, users will see a hard error — not a redirect to HTTP

Before enabling HSTS:

1Confirm HTTPS is working on all pages
2Confirm HTTP redirects properly to HTTPS
3Confirm your certificate is valid and auto-renewing
4Test with a short max-age (e.g., 300 seconds) first

HSTS Preloading (Optional, Advanced)

The var(--gray-700)] rounded text-sm font-mono">preload directive allows you to submit your domain to the [HSTS Preload List — a list built into Chrome, Firefox, and other browsers. Preloaded domains get HSTS enforcement even on the very first visit, before the browser has ever seen your header.

This is optional and harder to reverse — only do it if you are fully committed to HTTPS for the long term.

Check Your Site

The Site Scanner checks whether your school's site sends an HSTS header and whether its configuration is correct.

Related Resources

HTTPS and SSL Explained — enable HTTPS first
Content Security Policy — another critical security header
Site Scanner — check your HSTS configuration