getButterfly Logo getButterfly code wrangling since 2005

By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list. Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.


If you want to enable this for your site, there are a few requirements before you can make that trigger:

  1. Have a valid SSL certificate.
  2. You must redirect all HTTP traffic to HTTPS (recommended via 301 permanent redirects). This means that your site should be HTTPS only.
  3. You must serve all subdomains from HTTPS as well. If you have subdomains, you will need a wildcard SSL certificate for this.
  4. Serve an HSTS header on the base domain that meets the following requirements:
    1. The expiration length must be at least 18 weeks (10886400).
    2. The includeSubDomains token must be specified in the header.
    3. The preload token must be specified in the header.
    4. If you are serving a redirect, that redirect must have the HSTS header too, not just on the pages it redirects to.

Now when visitors come to your site, the browser will be notified that you want to be on the preload list. Assuming that you meet all the requirements, you should see your site loaded in that list within a few months.

If you want to check your site’s preload status, you can do it here:

Be aware that inclusion in the preload list cannot really be undone. You can request to be removed, but it will take months for the deleted entry to reach users with a Chrome update and we cannot make guarantees about other browser vendors. Don’t request inclusion unless you’re sure that you can support HTTPS for the long term.

Note that our WordPress security pluginLighthouse – allows administrators to switch the HSTS header on and off.

Internet Explorer users are still vulnerable. Nevertheless, it’s worth implementing, as it’s an official IETF standard.

Check out the compatibility table.

Also, you don’t want to implement this unless you’re using HTTPS, but why wouldn’t you be using HTTPS? Remember that HTTPS not only guarantees that your content (and the users’ content) will be encrypted and therefore uninterceptable, it also provides authenticity, promising your users that yes, this content really came from you.

But if you’re using HTTPS you should probably use HSTS too.

Partial sources:

Image credit:

Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.

If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

Leave a reply