When should I enable HSTS?

Hi,

I enabled the SSL/TLS recommender about a month ago on a couple of websites, received emails a few days later and implemented HSTS successfully. For my most popular site, I didn’t receive any recommendation to turn it on.

I am unsure what to do and don’t like to take unnecessary risks. Should I wait? Or is there anything that I can do about it?

The stats show not secure traffic at 0.3% for the last weeks, 8% is TLS v1.2, 92% is TLS v1.3.

Thank you!

If you are confident that you can provide HTTPS service at all times for all your websites, you can go ahead and enable HSTS.

Do not enable that if you have any subdomain still serving HTTP traffic.

4 Likes

Great, thank you! That makes perfect sense.

I’ll give it a try.

And if you’ve got that solidly working, you can submit your domain to the HSTS Preload List:
https://hstspreload.org/

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.