What is HSTS?
HSTS (HTTP Strict Transport Security) is a security setting that forces visitors to always use HTTPS when visiting your site—even if they try to load it with HTTP.
You can turn HSTS on for:
Your main domain (example.com)
Certain subdomains (like www.example.com or hello.example.com)
Or all subdomains at once (using a setting called includeSubDomains)
How Hive uses custom subdomains
Hive recommends sending emails from a custom subdomain. This means the links in your emails also use that subdomain.
For example:
If your custom email subdomain is mail.example.com
Links in your emails will look like click.mail.example.com/link-abc-xyz
This setup improves branding, deliverability, and lets Hive track clicks properly.
How HSTS affects email links
If HSTS is enabled for your subdomain, it can prevent your email links from working correctly.
In Hive: You’ll see the following warning message on your email settings page.
For your recipients: When click links in your emails, the links may not open as expected.
Here’s why:
Hive links first load over HTTP (e.g., http://click.mail.example.com/link-abc-xyz).
HSTS forces them to reload over HTTPS (e.g., https://click.mail.example.com/link-abc-xyz).
Hive can’t provide a valid SSL certificate for those click-tracking links.
As a result, users see a “this page is not secure” warning, and your email links stop working.
The best way to set up HSTS
If you want HSTS enabled on your website—you just need to avoid applying it to all subdomains.
✅ Keep HSTS on your main domain and any subdomains you need (like www.example.com).
❌ Turn off HSTS for your custom email subdomain (e.g., mail.example.com) and your click-tracking subdomain (e.g., click.mail.example.com).
Turning HSTS off for these email subdomains will not affect your main domain’s security.
What if I can’t turn off HSTS for my custom subdomain?
If disabling HSTS on your custom email subdomain isn’t possible, Hive’s support team can turn off click tracking in your emails. This should only be a last resort because:
It can hurt your deliverability.
Links in old emails will stop working.
You will not be able to utilize Hive’s attribution tracking.
Even if you turn HSTS off later, Hive has to keep click tracking disabled for ~180 days (to allow cached settings across the internet to expire).