Demo Mode: Live Preview: Scans are performed in real-time.
Knowledge Base/Missing HTTP Strict Transport Security (HSTS)
High Severity

Missing HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) acts as a "security seatbelt," forcing browsers to refuse all insecure HTTP connections to your domain for a set period.

Business Risk

Without HSTS, you are susceptible to "SSL Stripping." An attacker on a coffee shop Wi-Fi can transparently downgrade your users from HTTPS to HTTP, intercepting passwords and session cookies. HSTS prevents this by hard-coding the HTTPS requirement in the browser cache.

Technical Details

Pro Tip: Start with a short `max-age` (e.g., 300 seconds) to test. If you deploy a broken HTTPS config with `max-age=2years`, you will brick your site for all previous visitors until the cache expires. HSTS requires a valid certificate on the initial connection to be trusted.

Remediation Guide

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Strict-Transport-Security",
          "value": "max-age=63072000; includeSubDomains; preload"
        }
      ]
    }
  ]
}
json

External References

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.