Common HSTS Misconfigurations

We have noticed some common mistakes and misconfigurations in the use of HTTP Strict Transport Security.

• Multiple headers: Some websites publish multiple headers. This leads to browsers not correctly upgrading to an encrypted connection.

• Failure to include the preload directive: Modern browsers will automatically use HTTPS if the preload directive is supplied. See hstspreload.org for more information.

• Redirection to a different host: If it is intended that the apex domain be redirected to a domain with another hostname (e.g., http://example.com/ redirects to https://www.example.com/, the initial redirection must be to https://example.com/, which then redirects to https://www.example.com/ in order for HSTS to take effect on future visits.