HTTPS Redirect & HSTS (HTTP Strict Transport Security)

Complete Guide to Forcing Encrypted Connections — Why Both HTTPS Redirect and HSTS Are Required to Protect Government Websites

The Problem: SSL Stripping Attacks

HTTPS redirect alone is not enough. Here’s why:

1. A citizen connects to public Wi-Fi at a library or courthouse
2. They type cityofspringfield.gov in their browser (no https://)
3. The browser sends an HTTP request to http://cityofspringfield.gov
4. An attacker on the same network intercepts this request
5. The attacker connects to the real site over HTTPS, but serves the victim an HTTP copy
6. The victim sees a working website but everything they type — including passwords, form data, personal information — goes through the attacker

The redirect from HTTP to HTTPS never reaches the browser because the attacker blocks it. This is called an SSL stripping attack, first demonstrated by Moxie Marlinspike in 2009 and still effective against any website without HSTS.

HSTS prevents this because browsers that have previously visited the site (or that check the HSTS preload list) will never make an HTTP request — they upgrade to HTTPS internally before the request leaves the device.

What HTTPS Redirect Does

An HTTPS redirect is a server-side rule that responds to any HTTP request with a 301 Moved Permanently redirect to the HTTPS version of the same URL. This ensures:

• Visitors who type the domain without https:// are automatically upgraded
• Old bookmarks and links using http:// still work
• Search engines index the HTTPS version
• All data transmitted between browser and server is encrypted

Apache Configuration

# In .htaccess or VirtualHost config
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx Configuration

server {
    listen 80;
    server_name example.gov www.example.gov;
    return 301 https://$host$request_uri;
}

IIS (web.config)

<rewrite>
  <rules>
    <rule name="HTTPS Redirect" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>

What HSTS Does

HSTS is an HTTP response header that instructs browsers to only use HTTPS for your domain for a specified period of time. Once a browser receives the HSTS header, it will:

• Automatically upgrade all HTTP requests to HTTPS internally (before sending any network traffic)
• Refuse to connect if the HTTPS certificate is invalid (no “click to proceed” option)
• Remember the policy for the duration specified by max-age
• Optionally apply to all subdomains via includeSubDomains

HSTS Header Format

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Directive	Value	Meaning
max-age	31536000 (1 year)	How long (in seconds) browsers should remember to use HTTPS only. Minimum recommended: 1 year.
includeSubDomains	(flag)	Apply HSTS to all subdomains. Required for preload eligibility.
preload	(flag)	Opt in to the HSTS Preload List so browsers enforce HTTPS even on first visit.

Server Configuration

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

IIS (web.config):

<customHeaders>
  <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
</customHeaders>

HSTS Preloading

The HSTS Preload List is maintained by Google and used by Chrome, Firefox, Safari, Edge, and other browsers. Once your domain is on the list, browsers enforce HTTPS on the very first visit — no prior visit required.

To qualify for preloading:

1. Serve a valid SSL certificate
2. Redirect all HTTP traffic to HTTPS
3. Serve the HSTS header on the base domain with:
   • max-age of at least 31536000 (1 year)
   • includeSubDomains directive
   • preload directive
4. All subdomains must also support HTTPS

Submit your domain at hstspreload.org.

How HTTPS Redirect + HSTS Work Together

Scenario	Redirect Only	HSTS Only	Both
User types domain without https://	HTTP request sent, then redirected	HTTP request sent (HSTS only works after first HTTPS visit)	First visit: redirected. All subsequent: upgraded internally
SSL stripping attack on public Wi-Fi	Vulnerable — attacker blocks redirect	Protected after first visit	Protected after first visit (fully with preload)
Old HTTP bookmark clicked	Redirected (1 unencrypted request)	Upgraded internally (zero unencrypted requests)	Upgraded internally
Invalid/expired certificate	Browser shows warning with bypass option	Browser blocks access entirely (no bypass)	Browser blocks access entirely

Real-World Consequences

• Credential theft: Login pages served over HTTP expose usernames and passwords to anyone monitoring network traffic. On public Wi-Fi, this is trivial.
• Form data interception: Contact forms, permit applications, and payment portals transmit personal data in plaintext without HTTPS.
• Content injection: ISPs and attackers can inject ads, tracking scripts, or malicious code into HTTP pages. This has been documented on airline Wi-Fi and hotel networks.
• Session hijacking: Without HSTS, session cookies can be captured over the initial HTTP request and used to impersonate the user.
• SEO penalties: Google has used HTTPS as a ranking signal since 2014. Government sites without HTTPS rank lower in search results.

What YesGov Checks

YesGov performs two separate checks:

Check	What We Verify	Pass Criteria
HTTPS Redirect	We request http://domain and check if the response is a 301/302 redirect to https://	HTTP request returns a redirect to HTTPS
HSTS Enabled	We check the HTTPS response headers for Strict-Transport-Security with a valid max-age	Strict-Transport-Security header present with max-age ≥ 1

Common Mistakes

• HSTS on HTTP responses: The HSTS header must only be sent over HTTPS. Browsers ignore it over HTTP (to prevent an attacker from setting a fake HSTS policy).
• Short max-age: Using max-age=300 (5 minutes) provides almost no protection. Use at least max-age=31536000 (1 year).
• Missing includeSubDomains: Without this, subdomains like mail.example.gov or portal.example.gov are not protected by HSTS.
• Redirect chains: Redirecting http:// → http://www. → https://www. creates unnecessary unencrypted hops. Go directly to https://.
• Mixed content: Loading images, scripts, or stylesheets over HTTP on an HTTPS page triggers browser warnings and breaks HSTS protections.

CISA Requirements

Binding Operational Directive 18-01 requires all federal executive branch agencies to:

• Use HTTPS on all web services
• Enable HSTS with a minimum max-age of 1 year
• Submit domains to the HSTS preload list
• Disable support for SSLv2, SSLv3, TLS 1.0, and TLS 1.1

While this directive applies to federal agencies, CISA strongly encourages all government entities — state, local, tribal, and territorial — to follow the same standards. Many state cybersecurity frameworks reference these requirements.

Related Security Controls

• SSL/TLS Certificate — The certificate that enables HTTPS encryption
• Certificate Validation & CAA — Ensuring certificates are trusted and authorized
• Security Headers — Other HTTP headers that protect against attacks
• MTA-STS — The email equivalent of HSTS for SMTP connections
• Compound Risks — How missing HSTS combines with other failures

Learning Guides