{"id":92835,"date":"2021-12-10T10:55:49","date_gmt":"2021-12-10T15:55:49","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/support\/?p=92835"},"modified":"2025-11-07T17:29:53","modified_gmt":"2025-11-07T22:29:53","slug":"nginx-hsts","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/","title":{"rendered":"HTTP Strict Transport Security (HSTS) in NGINX"},"content":{"rendered":"<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-1024x538.jpg\" alt=\"NGINX HSTS Header\" class=\"wp-image-92836\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-1024x538.jpg 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-300x158.jpg 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-768x403.jpg 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg 1200w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<p><strong>HTTP Strict Transport Security (HSTS)<\/strong> protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain. Adding NGINX HSTS is similar to and designed to work with <a href=\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-redirect\/\">SSL redirects<\/a>. The HSTS header embeds the redirect code within the user\u2019s web browser. The security HTTP header is supported by the most popular web browsers today, including the KaiOS browser.<\/p>\n\n\n\n<p class=\"alert alert-warning\">Implementing the NGINX HSTS header prevents users from overriding invalid or self-signed certificate warnings. Your website will become inaccessible without a valid SSL certificate.<\/p>\n\n\n\n<p>This is the most secure HSTS header with every directive enabled:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #E1E4E8\">Strict-Transport-Security: max-age=31536000; includeSubDomains; <\/span><span style=\"color: #F97583\">preload<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Let\u2019s break down each directive of the HSTS header.<\/p>\n\n\n\n<p><strong>max-age:<\/strong> Specifies how long the header will be active in seconds. This is the only required directive. This must be set to \u201c31536000\u201d to be eligible for HSTS preloading.<\/p>\n\n\n\n<p><strong>includeSubDomains:<\/strong> Applies HSTS to all subdomains. If you add this optional directive, you\u2019ll need to ensure any subdomains used for development and staging purposes have valid SSLs installed.<\/p>\n\n\n\n<p><strong>Preload: <\/strong>Authorizes preload listing in web browsers <em>if eligible<\/em>. By default, the user must visit your website for the browser to save the header for subsequent visits. That means the user is still vulnerable to HTTP downgrade attacks upon the first visit. To account for this, popular browsers ship with a text file containing every domain submitted to \u201cpreload\u201d the HSTS header.\u00a0<\/p>\n\n\n\n<p>Preloading is a two-step process. First you must add \u201cpreload\u201d to your HSTS header. The max-age must comply with current standards as well. Then, you must submit your domain at <a href=\"https:\/\/hstspreload.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/hstspreload.org<\/a>.<\/p>\n\n\n\n<p>Preloading is most beneficial for larger businesses that have the ability to ensure the domain (and subdomains if applicable) always have a valid SSL. It can take up to six months for a submitted domain to be added to the preload list. It can take even longer to remove it between email inquiries and updates to supported browsers.<\/p>\n\n\n\n<p class=\"alert alert-warning\"><strong>Note:<\/strong> You must be on a <a href=\"https:\/\/www.inmotionhosting.com\/vps-hosting\">VPS<\/a> or <a href=\"https:\/\/www.inmotionhosting.com\/dedicated-servers\">Dedicated server<\/a> to complete the steps in this guide.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"nginx\">Adding NGINX HSTS in SSH<\/h2>\n\n\n\n<p>After you log into SSH, edit the NGINX server configuration file for the domain. If you only have one domain on the server, edit the default NGINX configuration file:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>sudo nano \/etc\/nginx\/sites-enabled\/default<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F97583\">sudo<\/span><span style=\"color: #E1E4E8\"> nano \/etc\/nginx\/sites-enabled\/default<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Add the following line directly under the \u201clisten\u201d lines (remove \u201c; preload\u201d if not needed):<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F97583\">add_header <\/span><span style=\"color: #E1E4E8\">Strict-Transport-Security <\/span><span style=\"color: #9ECBFF\">\"max-age=31536000; includeSubDomains; preload\"<\/span><span style=\"color: #E1E4E8\"> always;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p class=\"alert alert-info\">Remember, the max-age must be at least 1 year (31536000 seconds) for HSTS preloading.<\/p>\n\n\n\n<p>Here\u2019s an example of the how this might look in your configuration file:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>server {\n        listen 80 default_server;\n        listen [::]:80 default_server;\n        add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n        }<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F97583\">server<\/span><span style=\"color: #E1E4E8\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">       <\/span><span style=\"color: #F97583\"> listen <\/span><span style=\"color: #E1E4E8\">80<\/span><span style=\"color: #79B8FF\"> default_server<\/span><span style=\"color: #E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">       <\/span><span style=\"color: #F97583\"> listen <\/span><span style=\"color: #E1E4E8\">[::]:80<\/span><span style=\"color: #79B8FF\"> default_server<\/span><span style=\"color: #E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">       <\/span><span style=\"color: #F97583\"> add_header <\/span><span style=\"color: #E1E4E8\">Strict-Transport-Security <\/span><span style=\"color: #9ECBFF\">\"max-age=31536000; includeSubDomains; preload\"<\/span><span style=\"color: #E1E4E8\"> always;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">        }<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>After you save your changes, restart NGINX:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>systemctl restart nginx<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F97583\">systemctl<\/span><span style=\"color: #E1E4E8\"> restart nginx<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Check your server HTTP headers.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>curl --head localhost<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F97583\">curl<\/span><span style=\"color: #E1E4E8\"> --head localhost<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>The HSTS header should display near the bottom.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>HTTP\/1.1 200 OK\nServer: nginx\/1.14.2\nDate: Thu, 09 Dec 2021 16:28:01 GMT\nContent-Type: text\/html\nContent-Length: 10701\nLast-Modified: Tue, 03 Aug 2021 14:28:03 GMT\nConnection: keep-alive\nETag: \"00000000-12ab\"\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nAccept-Ranges: bytes<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #E1E4E8\">HTTP\/1.<\/span><span style=\"color: #F97583\">1<\/span><span style=\"color: #E1E4E8\"> 200 OK<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Server: <\/span><span style=\"color: #79B8FF\">nginx\/1.14.2<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Date: Thu, <\/span><span style=\"color: #79B8FF\">09<\/span><span style=\"color: #E1E4E8\"> Dec <\/span><span style=\"color: #79B8FF\">2021<\/span><span style=\"color: #E1E4E8\"> 16:28:01 GMT<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Content-Type: text\/html<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Content-Length: 10701<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Last-Modified: Tue, <\/span><span style=\"color: #79B8FF\">03<\/span><span style=\"color: #E1E4E8\"> Aug <\/span><span style=\"color: #79B8FF\">2021<\/span><span style=\"color: #E1E4E8\"> 14:28:03 GMT<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Connection: keep-alive<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">ETag: <\/span><span style=\"color: #9ECBFF\">\"00000000-12ab\"<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Strict-Transport-Security: max-age=31536000; includeSubDomains; <\/span><span style=\"color: #F97583\">preload<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E1E4E8\">Accept-Ranges: <\/span><span style=\"color: #F97583\">bytes<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>If you have to clear system caching and want to double-check from a PC, you can use wget which will follow any redirects automatically:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono-NL.ttf\" style=\"font-size:clamp(16px, 1rem, 24px);font-family:Code-Pro-JetBrains-Mono-NL,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:clamp(26px, 1.625rem, 39px);--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>wget --server-response --spider example.com<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewbox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color: #24292e\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F97583\">wget<\/span><span style=\"color: #E1E4E8\"> --server-response --spider example.com<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Want to learn more about hardening your NGINX web server? Check out our guide on how to <a href=\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/hide-nginx-server-version\/\">hide your NGINX server version<\/a>.<\/p>\n\n\n<div class=\"jumbotron\">\r\n<p>If you don\u2019t need cPanel, don't pay for it. Only pay for what you need with our scalable <a href=\"https:\/\/www.inmotionhosting.com\/cloud-vps\">Cloud VPS Hosting<\/a>.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/icons\/standard\/check-blue.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>CentOS, Debian, or Ubuntu    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/icons\/standard\/check-blue.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>No Bloatware    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/icons\/standard\/check-blue.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>SSH and Root Access<\/p>\r\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain. Adding NGINX HSTS is similar to and designed to work with SSL redirects. The HSTS header embeds the redirect code within the user\u2019s web browser. The security HTTP header is supported by the most<a class=\"moretag\" href=\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\"> Read More ><\/a><\/p>\n","protected":false},"author":57014,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4455],"tags":[],"class_list":["post-92835","post","type-post","status-publish","format-standard","hentry","category-nginx"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HTTP Strict Transport Security (HSTS) in NGINX | InMotion Hosting<\/title>\n<meta name=\"description\" content=\"HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HTTP Strict Transport Security (HSTS) in NGINX | InMotion Hosting\" \/>\n<meta property=\"og:description\" content=\"HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\" \/>\n<meta property=\"og:site_name\" content=\"InMotion Hosting Support Center\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inmotionhosting\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-10T15:55:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-07T22:29:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"InMotion Hosting Contributor\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/InMotionHosting\" \/>\n<meta name=\"twitter:site\" content=\"@InMotionHosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"InMotion Hosting Contributor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\"},\"author\":{\"name\":\"InMotion Hosting Contributor\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\"},\"headline\":\"HTTP Strict Transport Security (HSTS) in NGINX\",\"datePublished\":\"2021-12-10T15:55:49+00:00\",\"dateModified\":\"2025-11-07T22:29:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\"},\"wordCount\":488,\"commentCount\":4,\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-1024x538.jpg\",\"articleSection\":[\"NGINX\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\",\"name\":\"HTTP Strict Transport Security (HSTS) in NGINX | InMotion Hosting\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-1024x538.jpg\",\"datePublished\":\"2021-12-10T15:55:49+00:00\",\"dateModified\":\"2025-11-07T22:29:53+00:00\",\"description\":\"HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg\",\"width\":1200,\"height\":630,\"caption\":\"NGINX HSTS Header\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.inmotionhosting.com\/support\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTTP Strict Transport Security (HSTS) in NGINX\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"name\":\"InMotion Hosting Support Center\",\"description\":\"Web Hosting Support &amp; Tutorials\",\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\",\"name\":\"InMotion Hosting\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"width\":696,\"height\":696,\"caption\":\"InMotion Hosting\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/inmotionhosting\/\",\"https:\/\/x.com\/InMotionHosting\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\",\"name\":\"InMotion Hosting Contributor\",\"description\":\"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/inmotion-hosting\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting\"],\"url\":\"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTTP Strict Transport Security (HSTS) in NGINX | InMotion Hosting","description":"HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/","og_locale":"en_US","og_type":"article","og_title":"HTTP Strict Transport Security (HSTS) in NGINX | InMotion Hosting","og_description":"HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain.","og_url":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/","og_site_name":"InMotion Hosting Support Center","article_publisher":"https:\/\/www.facebook.com\/inmotionhosting\/","article_published_time":"2021-12-10T15:55:49+00:00","article_modified_time":"2025-11-07T22:29:53+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg","type":"image\/jpeg"}],"author":"InMotion Hosting Contributor","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/InMotionHosting","twitter_site":"@InMotionHosting","twitter_misc":{"Written by":"InMotion Hosting Contributor","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#article","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/"},"author":{"name":"InMotion Hosting Contributor","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644"},"headline":"HTTP Strict Transport Security (HSTS) in NGINX","datePublished":"2021-12-10T15:55:49+00:00","dateModified":"2025-11-07T22:29:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/"},"wordCount":488,"commentCount":4,"publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-1024x538.jpg","articleSection":["NGINX"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/","url":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/","name":"HTTP Strict Transport Security (HSTS) in NGINX | InMotion Hosting","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header-1024x538.jpg","datePublished":"2021-12-10T15:55:49+00:00","dateModified":"2025-11-07T22:29:53+00:00","description":"HTTP Strict Transport Security (HSTS) protects against HTTP downgrade attacks by forcing browsers to only make secure connections with your domain.","breadcrumb":{"@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#primaryimage","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2021\/12\/nginx-hsts-header.jpg","width":1200,"height":630,"caption":"NGINX HSTS Header"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/nginx-hsts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inmotionhosting.com\/support\/"},{"@type":"ListItem","position":2,"name":"HTTP Strict Transport Security (HSTS) in NGINX"}]},{"@type":"WebSite","@id":"https:\/\/www.inmotionhosting.com\/support\/#website","url":"https:\/\/www.inmotionhosting.com\/support\/","name":"InMotion Hosting Support Center","description":"Web Hosting Support &amp; Tutorials","publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.inmotionhosting.com\/support\/#organization","name":"InMotion Hosting","url":"https:\/\/www.inmotionhosting.com\/support\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","width":696,"height":696,"caption":"InMotion Hosting"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inmotionhosting\/","https:\/\/x.com\/InMotionHosting"]},{"@type":"Person","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644","name":"InMotion Hosting Contributor","description":"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!","sameAs":["https:\/\/www.linkedin.com\/company\/inmotion-hosting\/","https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting"],"url":"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"primary_category":{"id":4455,"name":"NGINX","slug":"nginx","link":"https:\/\/www.inmotionhosting.com\/support\/server\/nginx\/"},"_links":{"self":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/92835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/users\/57014"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/comments?post=92835"}],"version-history":[{"count":7,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/92835\/revisions"}],"predecessor-version":[{"id":131101,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/92835\/revisions\/131101"}],"wp:attachment":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/media?parent=92835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/categories?post=92835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/tags?post=92835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}