CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SSL & SECURITY

Jun 24, 2026

How to Enable HSTS for Stronger HTTPS Security

8 min read

CloudStick Team

Backend Developer

Share this article

How to Enable HSTS for Stronger HTTPS Security

Browser-enforced HTTPS

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a response header that tells browsers: “For this domain, only connect over HTTPS, for the next N seconds. If you encounter an invalid certificate, do not let the user proceed.” Once a browser has received the HSTS header from a site, it enforces HTTPS entirely at the browser level — it never even sends an HTTP request for that domain. Instead, it internally rewrites http:// to https:// before sending it. This eliminates an entire class of attack known as SSL stripping, where a man-in-the-middle intercepts the initial HTTP request before the server's redirect can happen.

HSTS Is Not a Replacement for the Redirect

HSTS and a 301 redirect serve different purposes and work together, not as alternatives. The 301 redirect handles the first HTTP visit from any new visitor or bot that has never visited before. HSTS handles every subsequent visit from a browser that has seen the header. A user's first visit still goes HTTP → 301 → HTTPS. After that, HSTS ensures every future visit skips HTTP entirely. The HSTS preload list (covered below) fills the remaining gap: it seeds browsers with a list of HSTS domains before the first visit.

WARNING

HSTS is very difficult to undo. Once a browser has cached the header with a long max-age, it will refuse to connect over HTTP for that entire duration — even if you remove the header from your server. Start with a short max-age (300 seconds), verify everything works, then increase to a year. Never enable HSTS if your site has any legitimate HTTP content.

Add the HSTS Header in Nginx

Add the Strict-Transport-Security header inside your HTTPS server block. The header must only be sent over HTTPS — sending it over HTTP is undefined behaviour in the spec:

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    # Start with 5 minutes — increase to 1 year after verification
    add_header Strict-Transport-Security "max-age=300" always;
    # Production value (1 year, with subdomains):
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # With preload (only after verifying all subdomains are HTTPS-ready):
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}
# Test and reload
sudo nginx -t && sudo systemctl reload nginx
# Verify the header is being sent
curl -sI https://yourdomain.com | grep -i strict
# Expected: strict-transport-security: max-age=300

The HSTS Preload List

The HSTS preload list (hstspreload.org) is a list of domains that ships baked into Chrome, Firefox, Safari, and Edge. Browsers on this list will never send HTTP requests to listed domains, even on the very first visit. To submit for preloading, your domain must have HSTS enabled with max-age of at least one year, includeSubDomains, and the preload directive. Preloading is permanent and takes months to propagate — only submit once you are certain every subdomain of your domain is and will remain HTTPS.

Safe HSTS Rollout — Step by Step

Follow this sequence to add HSTS safely without risking a locked-out domain:

Confirm all subdomains already serve HTTPS (check www., API subdomains, staging).
Confirm SSL auto-renewal is working correctly (do a certbot renew --dry-run).
Add HSTS with max-age=300 (5 minutes). Monitor for 48 hours.
Increase to max-age=86400 (1 day). Monitor for a week.
Increase to max-age=2592000 (30 days). Add includeSubDomains if ready.
Increase to max-age=31536000 (1 year) once confident. Add preload if submitting to the preload list.

HSTS with CloudStick-Managed Sites

CloudStick manages the Nginx configuration for all sites. You can add the HSTS header by editing the Nginx configuration through the CloudStick dashboard (Websites → your site → Nginx Config) and adding the add_header Strict-Transport-Security directive inside the HTTPS server block. CloudStick validates the Nginx config before applying changes, so a syntax error in your custom directive won't cause a config reload failure. Because CloudStick handles SSL auto-renewal automatically, you can safely use long max-age values without worrying about a manual renewal failure locking out visitors.