DomainSecurityScanner
High SeveritySecurity Headers

Fix: HSTS Not Enabled

Your server does not send the Strict-Transport-Security (HSTS) header. Without it, browsers may connect over unencrypted HTTP before being redirected to HTTPS, leaving a window for man-in-the-middle attacks.

Quick Fix

Add the `Strict-Transport-Security` header to your web server responses.

What This Error Means

The Strict-Transport-Security header tells browsers to only connect to your site over HTTPS for a specified period. Without it, the first connection may be over HTTP, and an attacker could intercept or modify the redirect.

Why It Matters

Without HSTS, users are vulnerable to SSL stripping attacks. HSTS also prevents users from clicking through certificate warnings, protecting against phishing with invalid certificates.

Step-by-Step Fix

1

Add the HSTS header to Nginx

Add the Strict-Transport-Security header to your Nginx server block.

Example
# In your Nginx server block (HTTPS only):
server {
    listen 443 ssl;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
2

Add the HSTS header to Apache

Add the header to your Apache virtual host.

Example
<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>

# Ensure mod_headers is enabled:
sudo a2enmod headers
3

Start with a short max-age

For initial deployment, use a short max-age to test. Increase once verified.

Before
add_header Strict-Transport-Security "max-age=300" always;
After
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
4

Verify the header

Confirm the HSTS header is present in responses.

Example
curl -sI https://yourdomain.com | grep -i strict-transport-security

Common Gotchas

  • Only send the HSTS header over HTTPS. Sending it over HTTP violates the spec and browsers will ignore it.
  • The includeSubDomains directive applies HSTS to all subdomains. Make sure all subdomains support HTTPS first.
  • Once HSTS is active with a long max-age, you cannot easily revert to HTTP. Start with a short max-age to test.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What max-age should I use for HSTS?

The recommended max-age is 31536000 seconds (1 year). Start with 300 (5 minutes) for testing, then increase to 86400 (1 day), then to 31536000.

What is HSTS preloading?

HSTS preloading adds your domain to a list built into browsers so even the very first connection uses HTTPS. Submit at hstspreload.org. This is very difficult to undo.

Should I include the includeSubDomains directive?

Yes, if all your subdomains support HTTPS. It is required for HSTS preloading and prevents attacks via insecure subdomains.

Related Issues

Missing HeadersNo CSPCertificate ExpiredAll Fix Guides →