---
title: "What is HSTS?"
slug: "what-is-hsts"
updated: 2024-03-15T06:41:07Z
published: 2024-03-15T06:41:07Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mapp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# What is HSTS?

HSTS stands for **HTTP Strict Transport Security.** It's a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy by using a special response header, the browser must refuse all (insecure) HTTP connections and prevent users from accepting insecure [SSL certificates](/v1/docs/what-is-hsts). HSTS is currently supported by most major browsers.

## What Potential Problems does it Solve?

- User bookmarks or manually types http://example.com/ and is subject to a man-in-the-middle attacker. HSTS automatically redirects the HTTP requests to HTTPS for the target domain.
- A web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP. HSTS automatically redirects HTTP requests to HTTPS for the target domain.
- A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate. HSTS does not allow a user to override the invalid certificate message.

## Setting HSTS up in Mapp Engage

HSTS is used by default on all Mapp-managed domains. You can also set it up for your own domain by requesting the **StrictTransportSecurity** feature from your Customer Sucess Manager. In this case, the following response header would be set for your domain and all subdomains:

Strict-Transport-Security: max-age=63072000; includeSubDomains

> [!NOTE]
> Once set, this cannot be undone! Please check carefully that the domain and all sub-domains have a valid HTTPS certificate.