HSTS Misconfiguration Fixes
Locked out of HTTP, subdomain errors, or preload regrets? Here is how to diagnose and fix the most common HSTS mistakes safely.
HSTS tells browsers to forget HTTP exists. That is powerful when HTTPS works everywhere — and painful when one subdomain still serves an expired certificate or when you enabled preload before you were ready. This guide covers the misconfigurations teams actually hit and the safest way to recover from each.
Symptom: visitors cannot reach HTTP at all
This is usually correct behaviour, not a bug. HSTS with a long max-age upgrades every request to HTTPS. If you still need a temporary HTTP endpoint for legacy tooling, you must lower max-age and wait for browsers to forget the old policy — there is no instant override. For emergencies, users can clear site data, but that is not a fix you can rely on at scale.
Symptom: one subdomain is broken
includeSubDomains applies HSTS to every hostname under your domain. If staging.example.com lacks a valid certificate, browsers will refuse it entirely. Fix the certificate on that subdomain first, or remove includeSubDomains and publish a shorter max-age until caches expire — then re-enable only when every subdomain is HTTPS-ready.
Browsers ship with a built-in preload list. Removal can take months to propagate. Never submit to preload until every subdomain has been on HTTPS with a long max-age for weeks.
Symptom: certificate errors after enabling HSTS
HSTS does not fix bad certificates — it makes bad certificates impossible to bypass. Renew the cert, install the full chain, and confirm the hostname matches. Until the certificate is valid, affected users see a hard error with no 'proceed anyway' option.
Safe recovery playbook
- 1Fix the underlying HTTPS problem (certificate, redirect, mixed content) before touching HSTS.
- 2Publish a shorter max-age (start with 300 seconds) to let browsers pick up the new policy.
- 3Remove `preload` from the header and request delisting from the preload directory if you submitted.
- 4Only re-add `includeSubDomains` when every subdomain passes an SSL scan.
- 5Ramp max-age back up gradually — day, week, year — as described in our HSTS setup guide.
Strict-Transport-Security: max-age=300
Prevention beats recovery. Scan live headers after every deploy to confirm HSTS values match what you intended. PatchPings security scanning grades HSTS alongside six other header categories and flags risky combinations before they strand a subdomain.
HSTS misconfigurations are almost always certificate or subdomain coverage problems wearing a header-shaped disguise. Fix HTTPS first, shorten max-age if you must, and climb back up the ramp slowly. Download the app to verify headers from outside your network — the same view your visitors get.
