How to fix a missing HSTS header

What it is

HSTS (HTTP Strict Transport Security) is a response header that tells browsers to only connect to your site over HTTPS for a set period. Once set, the browser will refuse to connect via HTTP, which prevents downgrade attacks and cookie hijacking on the first visit.

Why it matters

Without HSTS, the first request to your site (or after the header expires) can be intercepted and downgraded to HTTP by an attacker. HSTS ensures that after the first secure visit, all subsequent requests use HTTPS only.

How to fix it

1. 1

   Choose max-age

   Set max-age to at least 31536000 (1 year). Include includeSubDomains if all subdomains use HTTPS. Add preload if you want to submit your site to the browser HSTS preload list.

2. 2

   Add the header on your server

   Send the Strict-Transport-Security response header on every HTTPS response. Use your web server config (Nginx, Apache) or application middleware (Node, Next.js).

3. 3

   Ensure HTTP redirects to HTTPS first

   Before enabling HSTS, make sure all HTTP traffic redirects to HTTPS (301). Otherwise users may never receive the HSTS header.

4. 4

   Verify

   Run a scan or use your browser dev tools (Network tab) to confirm the Strict-Transport-Security header is present on your HTTPS responses.

Examples by platform

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

app.use((req, res, next) => {
  res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
  next();
});

// In next.config.js headers:
headers: [
  { key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains; preload" }
]