What Is HSTS (HTTP Strict Transport Security)?
HSTS is a security policy that tells browsers to only connect to a website using HTTPS, never HTTP. Once a browser sees an HSTS header, it automatically upgrades all future HTTP requests to HTTPS.
Why It Matters
HSTS prevents downgrade attacks — where an attacker forces a browser to use insecure HTTP instead of HTTPS. Once a browser receives an HSTS header, it remembers: “This domain is HTTPS-only” for a specified duration (often 1-2 years).
For domain forwarding, HSTS means:
- If the source domain ever had HSTS, HTTPS forwarding is mandatory
- HTTP-only forwarding services (most registrars) will break
- Browsers won’t even attempt an HTTP connection — they upgrade automatically
- Mixed content is aggressively blocked on HSTS-enabled domains
How HSTS Works
The server sends this HTTP header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
| Directive | Meaning |
|---|---|
max-age=31536000 | Remember this policy for 1 year |
includeSubDomains | Apply to all subdomains too |
preload | Eligible for browser’s built-in HSTS list |
HSTS Preload List
Major browsers maintain a hardcoded list of domains that must always use HTTPS. Once a domain is on the preload list:
- Every browser will enforce HTTPS — even on first visit
- Removal takes months if you change your mind
- Forwarding must support HTTPS permanently
How Domain Forward Handles This
Domain Forward serves all redirects over HTTPS with valid TLS certificates. Whether or not a domain has HSTS enabled, the forwarding works correctly because HTTPS is always available.
Related Terms
Related Features
Frequently
asked questions
Yes. If a domain has HSTS enabled, the browser will ONLY connect via HTTPS — meaning the forwarding server absolutely must have a valid SSL certificate. HTTP-only forwarding will fail completely.
If you previously served a site with HSTS headers and then want to set up HTTP-only forwarding, browsers that cached the HSTS policy will refuse to connect. Domain Forward avoids this by always providing HTTPS.
Still Confused? Try It Free.
Set up your first domain forward in under 5 minutes. Free plan includes 5 domains.