How to Enable HSTS in NGINX

Return to home page.

Published: July 19, 2020

HSTS can be used to ensure that connections by people connecting to your site are encrypted and use HTTPS. If your browser tries to connect to an HSTS-enabled domain using HTTP, it would have to try requesting over HTTPS. If the HTTPS connection fails or is unavailable the connection must be terminated, preventing the transfer of data.

HSTS can also prevent connections using an invalid, fake, or self-signed certificate. While browsers normally show a warning and let you continue to the site, having HSTS enabled will not let users or attackers bypass these warnings.

To enable HSTS, simply add the following code to your NGINX config for the root domain name (and subdomains if you feel necessary):

Without preloading

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

With Preloading

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

If you want your domain included in the HSTS preload list, you'll go to, enter your domain name into the box, and click the button labeled "Check HSTS preload status and eligibility".

For more information regarding HSTS, including how to get your domain removed from the list if you wish to do so later, visit

Anton McClure /
Page last updated on: 11 August 2020 @ 23:18:15 UTC (+0000)