Yoryantra
← Back to Tools

HSTS Header Generator

Generate Strict-Transport-Security headers for HTTPS sites. Configure max-age, includeSubDomains, preload, rollout warnings, and copy clean HSTS output in your browser.

HSTS Settings

Start with a short max-age while testing. Use long values only after HTTPS works correctly on the main domain and all subdomains you include.

Output

Generated HSTS output will appear here.
HSTS header generation happens directly in your browser. No domain or header value is uploaded to a server.

Generating Strict-Transport-Security Headers

HSTS tells browsers to use HTTPS for future visits to your site. It helps prevent accidental HTTP access and reduces the chance of downgrade-related problems after a visitor has received the header.

This HSTS Header Generator creates a clean Strict-Transport-Security header with max-age, includeSubDomains, and preload options. It also gives practical warnings so you do not lock yourself into a setting before your HTTPS setup is ready. It also treats max-age=0 as a removal value, not a normal protection value.

Creating an HSTS Header Safely

  1. Choose a max-age value. Start small while testing.
  2. Enable includeSubDomains only if all subdomains support HTTPS.
  3. Add preload only when the root domain and all included subdomains are ready.
  4. Generate the header and review the warnings.
  5. Copy the output for your server, CDN, or hosting provider.

Common HSTS Header Use Cases

  • Adding a Strict-Transport-Security header to an HTTPS site.
  • Preparing Nginx or Apache header configuration.
  • Testing short max-age values before a longer rollout.
  • Checking whether a header meets common preload-style requirements.
  • Creating a max-age=0 header when you intentionally need to remove HSTS.
  • Creating CDN or hosting provider header values.
  • Reviewing includeSubDomains before enabling it site-wide.

Example HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains

Be Careful With Long HSTS Values

HSTS is powerful because browsers remember it. A long max-age can keep browsers forcing HTTPS for months or years. That is useful for a stable HTTPS site, but risky if your HTTPS setup is incomplete.

Before using includeSubDomains or preload, check that every affected hostname can serve HTTPS correctly. Start with a short value while testing, then increase it after you are confident. Use max-age=0 only when you intentionally need browsers to forget an existing HSTS policy after receiving the response over HTTPS.

Frequently Asked Questions

What is an HSTS header?

HSTS stands for HTTP Strict Transport Security. It tells browsers to use HTTPS for future requests to a site.

What does max-age mean?

max-age is the number of seconds a browser should remember the HSTS rule for your site.

Should I enable includeSubDomains?

Only enable it if every subdomain that matters supports HTTPS correctly. Otherwise some subdomains may become hard to access.

What is HSTS preload?

Preload is a stronger setup where browsers can know your site should use HTTPS before the first visit. It should be used only when you are sure the whole domain is ready.

Can I use max-age=0?

Yes, but it is normally used to remove an existing HSTS policy. It must still be sent over HTTPS for browsers to apply it.

Is anything uploaded when I generate the header?

No. The HSTS header is generated directly in your browser.