HSTS (HTTP Strict Transport Security) is a security header that tells browsers to only connect to your site over HTTPS, preventing downgrade attacks.

Why is HTTPS important for SEO?

Google uses HTTPS as a ranking signal. Sites without HTTPS show a 'Not Secure' warning in Chrome, which reduces user trust and click-through rates.

How do I redirect HTTP to HTTPS?

Configure a 301 redirect from HTTP to HTTPS in your web server or hosting provider. Most hosts offer a one-click HTTPS setting.

← Blog

How to Set Up HTTPS and HSTS for Your Website

security Feb 9, 2026 3 min read

What these checks test

SiteCurl checks two related security settings. The HTTPS check verifies that your site serves pages over an encrypted connection. The HSTS check looks for a Strict-Transport-Security header that tells browsers to always use HTTPS.

Together, these prevent eavesdropping on your visitors’ connections and protect against downgrade attacks.

Why it matters

Without HTTPS, data sent between your visitors and your server travels in plain text. Anyone on the same network (a coffee shop, airport, or compromised router) can read it. This includes form submissions, login credentials, and any personal information.

Beyond security, Google has used HTTPS as a ranking signal since 2014. Chrome marks HTTP sites as “Not secure” in the address bar. Visitors see this warning and leave.

HSTS goes further. Without it, there is a brief window on the first visit where a browser might try HTTP before being redirected to HTTPS. An attacker on the network can intercept that initial HTTP request. HSTS eliminates this window by telling the browser to never attempt HTTP.

How to fix HTTPS

Get an SSL certificate

Free certificates are available from Let’s Encrypt (https://letsencrypt.org). Most hosting providers offer one-click SSL setup: Render, Netlify, Vercel, and Cloudflare all include free SSL.

For shared hosting, check your control panel (cPanel, Plesk) for a “Let’s Encrypt” or “SSL” option.

Redirect HTTP to HTTPS

After installing your certificate, redirect all HTTP traffic to HTTPS. In Nginx:

server {
    listen 80;
    server_name yoursite.com;
    return 301 https://yoursite.com$request_uri;
}

In Apache .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

How to fix HSTS

Add the Strict-Transport-Security header to your server responses:

Strict-Transport-Security: max-age=31536000; includeSubDomains

This tells browsers to use HTTPS for the next year (31536000 seconds) for your domain and all subdomains.

In Nginx, add to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Start with a shorter max-age (like 300 seconds) to test, then increase once you confirm everything works.

How to verify the fix

Visit your site and check for the padlock icon. Use curl to check headers:

curl -sI https://yoursite.com | grep -i strict-transport

Run a SiteCurl scan to verify both HTTPS and HSTS across all scanned pages.

HTTPS pairs with Content Security Policy and cookie security for a complete security header setup.

Start a free trial to check your site’s security headers.

More on security

How to Fix Missing Security Headers

security Mar 3, 2026

How to Secure Cookies with HttpOnly, Secure, and SameSite

security Feb 12, 2026

How to Fix Mixed Content Warnings on HTTPS Sites

security Feb 11, 2026

Check your site for security gaps

Scan for HTTPS issues, missing headers, mixed content, and more.

Start 7-Day Studio Trial

No credit card required.

← Back to blog