Introduction

HSTS is powerful because it tells browsers to stop using HTTP for your domain. That same power makes mistakes painful. If HSTS is enabled before every hostname is truly HTTPS-ready, visitors can get locked into certificate or reachability failures that are not easy to bypass. The fix is to align strict transport policy with the real state of your HTTPS deployment.

Symptoms

  • Browsers refuse to load the site after HTTPS or redirect changes
  • Subdomains that were barely used suddenly become inaccessible over HTTP and HTTPS
  • Errors become worse after enabling Strict-Transport-Security or preloading
  • Some users stay broken even after config changes because the policy is cached locally
  • HTTPS works on the main site but not on all related hostnames

Common Causes

  • HSTS was enabled before every covered hostname had valid HTTPS
  • includeSubDomains forced HTTPS on subdomains that were not ready
  • Preload submission happened before long-term HTTPS correctness was guaranteed
  • Redirect chains or certificates remain inconsistent across hostnames
  • Mixed environment ownership leaves one proxy or origin not fully aligned with strict HTTPS enforcement

Step-by-Step Fix

  1. Inventory every hostname affected by the HSTS policy, including whether includeSubDomains or preload status expands the scope.
  2. Confirm that each covered hostname serves valid HTTPS with the correct certificate and stable redirect behavior.
  3. Check whether the current problem is on the apex domain, a subdomain, or a legacy hostname that users still reach.
  4. If the policy was deployed too aggressively, reduce scope or max-age only where recovery still makes sense and where clients can receive the update.
  5. Fix certificate, redirect, and canonical-host issues across the full hostname set before reapplying a strong HSTS policy.
  6. Be careful with preload status, because removal from preload lists is slower and less reversible than normal header changes.
  7. Retest from clean browsers and affected devices, but remember some clients may keep cached policy until expiry.
  8. Roll HSTS back up gradually only after every covered hostname is truly HTTPS-ready.
  9. Keep a hostname inventory tied to HSTS ownership so future domain and SSL changes do not strand users behind cached strict transport rules.