---
title: "HTTP Strict Transport Security (HSTS) in NGINX"
description: "HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain. Adding NGINX HSTS is similar to and designed to..."
url: https://www.inmotionhosting.com/support/server/nginx/nginx-hsts/
date: 2021-12-10
modified: 2025-11-07
author: "InMotion Hosting Contributor"
categories: ["NGINX"]
type: post
lang: en
---

# HTTP Strict Transport Security (HSTS) in NGINX

![NGINX HSTS Header](https://www.inmotionhosting.com/support/wp-content/uploads/2021/12/nginx-hsts-header-1024x538.jpg)

**HTTP Strict Transport Security (HSTS)** protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain. Adding NGINX HSTS is similar to and designed to work with [SSL redirects](https://www.inmotionhosting.com/support/server/nginx/nginx-redirect/). The HSTS header embeds the redirect code within the user’s web browser. The security HTTP header is supported by the most popular web browsers today, including the KaiOS browser.

Implementing the NGINX HSTS header prevents users from overriding invalid or self-signed certificate warnings. Your website will become inaccessible without a valid SSL certificate.

This is the most secure HSTS header with every directive enabled:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```

Let’s break down each directive of the HSTS header.

**max-age:** Specifies how long the header will be active in seconds. This is the only required directive. This must be set to “31536000” to be eligible for HSTS preloading.

**includeSubDomains:** Applies HSTS to all subdomains. If you add this optional directive, you’ll need to ensure any subdomains used for development and staging purposes have valid SSLs installed.

**Preload: **Authorizes preload listing in web browsers *if eligible*. By default, the user must visit your website for the browser to save the header for subsequent visits. That means the user is still vulnerable to HTTP downgrade attacks upon the first visit. To account for this, popular browsers ship with a text file containing every domain submitted to “preload” the HSTS header. 

Preloading is a two-step process. First you must add “preload” to your HSTS header. The max-age must comply with current standards as well. Then, you must submit your domain at [https://hstspreload.org](https://hstspreload.org/).

Preloading is most beneficial for larger businesses that have the ability to ensure the domain (and subdomains if applicable) always have a valid SSL. It can take up to six months for a submitted domain to be added to the preload list. It can take even longer to remove it between email inquiries and updates to supported browsers.

**Note:** You must be on a [VPS](https://www.inmotionhosting.com/vps-hosting) or [Dedicated server](https://www.inmotionhosting.com/dedicated-servers) to complete the steps in this guide.

## Adding NGINX HSTS in SSH

After you log into SSH, edit the NGINX server configuration file for the domain. If you only have one domain on the server, edit the default NGINX configuration file:

sudo nano /etc/nginx/sites-enabled/default

```
sudo nano /etc/nginx/sites-enabled/default
```

Add the following line directly under the “listen” lines (remove “; preload” if not needed):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

```
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
```

Remember, the max-age must be at least 1 year (31536000 seconds) for HSTS preloading.

Here’s an example of the how this might look in your configuration file:

server {
listen 80 default_server;
listen [::]:80 default_server;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

```
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        }
```

After you save your changes, restart NGINX:

systemctl restart nginx

```
systemctl restart nginx
```

Check your server HTTP headers.

curl --head localhost

```
curl --head localhost
```

The HSTS header should display near the bottom.

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 09 Dec 2021 16:28:01 GMT
Content-Type: text/html
Content-Length: 10701
Last-Modified: Tue, 03 Aug 2021 14:28:03 GMT
Connection: keep-alive
ETag: "00000000-12ab"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes

```
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 09 Dec 2021 16:28:01 GMT
Content-Type: text/html
Content-Length: 10701
Last-Modified: Tue, 03 Aug 2021 14:28:03 GMT
Connection: keep-alive
ETag: "00000000-12ab"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
```

If you have to clear system caching and want to double-check from a PC, you can use wget which will follow any redirects automatically:

wget --server-response --spider example.com

```
wget --server-response --spider example.com
```

Want to learn more about hardening your NGINX web server? Check out our guide on how to [hide your NGINX server version](https://www.inmotionhosting.com/support/server/nginx/hide-nginx-server-version/).

If you don’t need cPanel, don’t pay for it. Only pay for what you need with our scalable [Cloud VPS Hosting](https://www.inmotionhosting.com/cloud-vps).

![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)CentOS, Debian, or Ubuntu ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)No Bloatware ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)SSH and Root Access
