Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jballini
Staff
Staff

Created on ‎02-27-2025 06:30 AM

Article Id 378642

Technical Tip: Determine if an URL is using HTTP Strict Security (HSTS)

Description

This article describes how can be determined if a website is using HTTP Strict Transport Security (HSTS). The way HTTP Strict Transport Security (HSTS) works is that a website using HSTS will forcibly connect to itself only over HTTPS by instructing the browser to communicate with it only via encrypted connections.

 

It means the website enforces secure communication, and any attempt to intercept and inspect the traffic-as done in SSL deep inspection-would break the secure connection and trigger browser warnings or errors.


This can cause connectivity issues or even security warnings on the browser: enabling SSL deep inspection on an HSTS-enabled website conflicts with the secure connection enforced by HSTS because of the decryption-inspection-encryption process attempted by the firewall.
Scope FortiGate.
Solution

To determine if an URL is using HTTP Strict Transport Security (HSTS), the following steps can be performed:

  1. Open a web browser on a computer within the network where the issue is occurring.                                          
  2. Visit the website (for instance fortinet.com).  
  3. Once the website loads, 'right-click' anywhere on the page and select 'Inspect' or press F12 to open the Developer Tools.                                                                                                                                                                                                                                                                                                                                   1st screenshot.png

                                                                                                                       

  4. In the Developer Tools Window, navigate to the 'Network' tab.                                                                                                                                                                                                                                                  2nd screenshot.png                                                                                                                                                        
  5. Look for the request to the website (fortinet.com) in the list of network requests. The request should have a column labeled 'Response Headers'.                                                                                                                                                                                                                                                                                                 3rd screenshot.png

  6. In the 'Response Headers' section, look for the header 'Strict-Transport-Security'. If this header is present and specifies a time duration, it indicates that the website is using HSTS.
747
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.