If your app or store is served over HTTPS, you have done the hard part. But there is one small header that quietly closes the last gap an attacker can use against your visitors: the HSTS header. It is one of the cheapest hardening wins available before you launch, and yet plenty of freshly deployed indie sites ship without it. This page explains what the header does, what LaunchTrust looks for, and how to turn it on.
HTTP Strict Transport Security (HSTS) is a response header — Strict-Transport-Security — that tells a browser: "from now on, only ever talk to this site over HTTPS, never plain HTTP." Once a browser sees it, it refuses to make insecure requests to your domain, even if a user types http://, clicks an old link, or an attacker tries to downgrade the connection. It defends against the brief window where a first request goes out over HTTP before your redirect kicks in.
What LaunchTrust checks
LaunchTrust performs a passive read of your site's HTTP response headers and looks specifically for the Strict-Transport-Security header. This is a positive signal: it is something you want to be present. The check is straightforward and grounded in exactly what the header needs to be effective:
- Detected — the response includes a
Strict-Transport-Securityheader and itsmax-agevalue is greater than zero. LaunchTrust reports the parsedmax-ageand notes whetherincludeSubDomainsis present (for example, "HSTS present (max-age=31536000, includeSubDomains)"). - Not detected — either no
Strict-Transport-Securityheader was returned at all, or the header is present butmax-ageis0or missing. Amax-ageof zero is treated as not effective, because it explicitly tells the browser to forget the HSTS policy. - Unable to determine — LaunchTrust could not read the response headers for the scanned URL.
The severity attached to a not-detected result is low. HSTS is a defense-in-depth improvement rather than a critical blocker, especially once your site already forces HTTPS. LaunchTrust does not check for the preload directive, does not submit your domain anywhere, and does not verify whether you are on the browser preload list — it reports only what the header itself says.
Why it matters
There is no single law that names "the HSTS header" by name. This check is grounded in widely accepted web security best practice, the kind reviewers, security questionnaires, and your own future self will expect from a production site.
- It closes the HTTP-to-HTTPS downgrade window. A plain redirect from
http://tohttps://still sends one unencrypted request first. On a hostile network, that request can be intercepted. HSTS removes the window entirely after the first secure visit. - It pairs with HTTPS enforcement. HSTS is meaningless without HTTPS in place, and HTTPS is stronger with HSTS on top. The two are commonly evaluated together — see the HTTPS / secure transport check.
- It signals operational maturity. Security headers are a frequent line item in vendor reviews, partner integrations, and store-side trust expectations. Shipping them suggests you take transport security seriously.
A concrete example
A response that LaunchTrust reports as detected looks like this:
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains
content-type: text/html; charset=utf-8Here max-age=31536000 is one year in seconds, and includeSubDomains extends the policy to every subdomain. By contrast, a header like strict-transport-security: max-age=0 is reported as not detected, because a zero max-age instructs the browser to drop the policy — the header is technically present but does nothing useful.
How to address it
- Confirm HTTPS works first. HSTS only makes sense once every page already loads over HTTPS and HTTP requests redirect to it. If HTTPS is not fully in place, fix that before enabling HSTS.
- Add the header at your edge. Set
Strict-Transport-Security: max-age=31536000; includeSubDomainsin your reverse proxy, CDN, or host config. On many platforms (for example, a Cloudflare-fronted site or a static host) this is a single setting or rule. - Start with a modest max-age if you are cautious. If you are nervous about locking the policy in, begin with a shorter
max-age(such as300), confirm nothing breaks, then raise it to a year. - Only add
includeSubDomainsif every subdomain is HTTPS. This directive forces HTTPS on*.yourdomain.comtoo — make sure no subdomain still needs HTTP before you set it. - Re-scan to confirm. Run the check again and verify the result flips to detected with the
max-ageyou expect.
Check this in 30 seconds
Want to know whether your site already sends a usable HSTS header — and which other transport signals are missing? Run a free LaunchTrust scan of your public URL. It reads your live response headers and tells you, in plain language, what is detected, what is not, and where to look next, alongside related checks like mixed content and other security headers.
FAQ
Does adding HSTS make my app pass compliance checks? No. HSTS is a transport-security best practice, not a legal status. Adding the header does not legally clear your app, certify it, or guarantee approval. LaunchTrust surfaces whether the signal is present — it is a compliance aid, not legal advice or certification.
Is a missing HSTS header a launch blocker? Usually not on its own. LaunchTrust marks it as low severity, especially when HTTPS is already enforced. Treat it as a quick hardening win rather than an emergency.
Does LaunchTrust check the preload directive or the preload list? No. The check parses the Strict-Transport-Security header for max-age and notes includeSubDomains, but it does not look for preload or verify browser preload-list status.
Why does my header show as not detected even though it is there? The most common cause is max-age=0 or a missing max-age. A zero value tells browsers to discard the policy, so LaunchTrust reports it as not effective. Set a positive max-age to fix it.
Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.