Improve Performance & Security using HSTS with HTTPS



What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism, a HTTP header which declare browser to use only HTTPS for particular domain for a specific time-period.

What is Syntax for HSTS?

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload


The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

If this optional parameter is specified, HSTS rule applies to all of the site’s subdomains as well.

Optional syntax used to add Domain in the Chrome Preload List which is maintained by Google.
Source: Firefox.


Just an example

Try this in your browser

Your browser will automatically force HTTPS version:

This way it improves performance. I have been using this feature since a long time.

Does Google recommends using HSTS for a Webmaster?
Yes, they recommend.

How to Implement for your website?

  1. Ask your hosting team to enable HSTS.

  2. via W3TC Total cache plugin: Check Apply HTTP Strict Transport Security policy at Browser cache page.

  3. Using Cloudflare: Login to Cloudflare, Enable HSTS at Crypto page.


  • What I need to know before implementing HSTS?
    If you are using HTTPS, and you commit to maintain it always. You should go for HSTS.

  • What will happen if someone try to access in HTTP or SSL goes expire?
    HTTP will be redirected to HTTPS. If SSL goes expire, visitor will see error page. I recently faced this problem when a subdomain related to email - was missing SSL certificate. I had two choice, either to install SSL at tracking subdomain or simply stop using it. I decided to discontinue because tracking was not of my use.

  • How about Chrome Preload list?
    Chrome Preload list is used by major browsers to force HTTPS for first time visitor. This list contains notable name such as Twitter, Facebook, etc. You can also submit at

  • How much time it takes to get submitted in Chrome Preload list?
    Approx 2-3 months. Changes may possibly reflect in newer version browser.

I hope this helps. Please let me know if you have any question. :slight_smile:

Useful resources


Thanks & Regards,

Useful .htaccess code
[Guide] How to Setup W3 Total Cache Plugin?
Google launches .app domains with built-in HTTPS support
Migrate HTTPS Enabled non-top TLD Domain to Cloudflare without Downtime
Speed Up WordPress (Top 5 High Priority Tips)
How to Setup Free Cloudflare CDN for Wordpress (Tutorial)?

this is interesting.

cc @razor


i’ve redirect setup like:
301 Moved Permanently
301 Moved Permanently

Will HSTS work for me?


Yes, it will work for sure.

HSTS requires pattern like below. Ref: Screenshot

http:// to https:// to

And, in below case is restricted, shouldn’t be used with HSTS.

http to direct https+www.


Cool fact.

Majority of sites not using this, but some sites do, “Status: is currently preloaded.”

@GulshanKumar Any other examples?


Please check,,
If someone is not using, because it’s bit technical.


This is cool. I wonder how come a browser will save this setting, it uses cache power?


Yes, you can say. It cache basically ‘force HTTPS’ request.

Additionally, interesting thing is for preloaded domain, browser completely don’t require http to https redirection at server level even for the first time visitor.

In Firefox, they load directly in HTTPS just after hitting enter. No point of HTTP. :slight_smile:


Looks like adding the code
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

In htaccess will do this job? Sad that cloudways has no such feature :confused:


Oh, just because majority of browsers uses Chrome Preload list which is maintained by Google.


Yes, you can implement via .htaccess also.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


In sucuri, you can apply hsts to your site with a single button click. But as i have necessary redirections in place, i did not use hsts because site is being served at 100% https. But as per gulshans link, it seems Google recommends hsts. so i will implement it asap.



If customer requests to set this header. We always set using htaccess. It is better to set it via htaccess so that customer can also remove it from their end.


Yep. See this also:


you have direct redirection which is not recommended/possible in HSTS


Unfortunately, majority of speed testing tool never bother for this little performance hack technique. I feel very angry to see when they recommend non-sense stuff like removing query string which doesn’t make sense at all except just for creating fancy clean URL for the assets. Most probably, it sometime cause issue with browser cache.


Redirection 301 is required. Additionally, we can implement HSTS.


It causes issues with cdn cache. Not only browser cache.


Yep, never had idea that HSTS exists. And it is cool, we should have been using it since the day we enabled HTTPS. Reduces server response and improves loading time for direct readers :smiley:


Yes, it happens. They give lame excuse that some proxy server don’t cache query string contains URLs. However, till date I couldn’t find any such CDN. All quality CDN comes with proper option to respect query string. If version change, file must change. Or not change if setting is to ignore query strings.

For example, in Cloudflare it is best idea to keep Cache level standard in case of query string.