HSTS

HSTS tells browsers to refuse HTTP connections to a domain entirely — enforcing HTTPS at the browser level, before any network request is made.

---

Definition

HSTS (HTTP Strict Transport Security) is a web security mechanism implemented via an HTTP response header that instructs browsers to only access a specific domain over HTTPS, refusing any HTTP connections for a defined period. Once a browser has received an HSTS header from a domain, it stores the instruction and enforces HTTPS-only access for that domain automatically — without requiring a server-side redirect.

The header is: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Where max-age specifies the duration in seconds for which the browser enforces HTTPS-only access, includeSubDomains extends enforcement to all subdomains, and preload signals intent to be included in browser HSTS preload lists.

Why HSTS Exists

Standard HTTPS redirection (HTTP → HTTPS via 301) has a vulnerability: the very first request — before the redirect — is made over HTTP. An attacker on the same network can intercept this initial HTTP request before it reaches the server, preventing the HTTPS upgrade. This is a protocol downgrade attack.

HSTS eliminates this vulnerability by making the HTTP-to-HTTPS upgrade happen entirely within the browser, before any network request is made. The browser never sends an HTTP request to an HSTS-protected domain — it converts it to HTTPS internally.

HSTS and Short Link Domains

Short link domains benefit from HSTS in the same way any domain does — it prevents protocol downgrade attacks on the short link URL itself. For custom branded short link domains, HSTS is a security best practice that can be implemented alongside the standard SSL certificate.

The practical implication for link managers: if a custom branded domain has HSTS enabled, HTTP attempts to access short links on that domain are automatically upgraded to HTTPS by any browser that has previously visited the domain and received the HSTS header. This is desirable behaviour — no HTTP fallback, no protocol downgrade risk.

HSTS Preload Lists

HSTS preload lists are browser-built-in lists of domains that are hardcoded as HTTPS-only — enforced even on the first visit, before the browser has received an HSTS header from the domain. Chrome, Firefox, Safari and Edge maintain preload lists seeded from the hstspreload.org submission system.

For short link domains, preload list inclusion is a strong security commitment — it means all HTTP traffic to the domain is blocked at the browser level, permanently. This is appropriate for established, stable domains. It is not appropriate for domains that may later need to serve HTTP content or be retired.

HSTS and Redirect Chain Considerations

When a short link redirects to a destination on an HSTS-protected domain, and the destination URL is specified as HTTP, the browser performs a client-side HTTP-to-HTTPS upgrade for the destination. This upgrade is invisible to the user but affects the referrer chain — some browser implementations strip or modify the referrer during client-side HSTS upgrades.

Best practice: always set short link destinations to HTTPS URLs directly. This avoids any client-side upgrade steps and preserves the referrer chain cleanly throughout the redirect.

Related Terms

• HTTPS & SSL
• Redirect Types
• Cache & Redirects
• Custom Domain