Loading...
WebShield Audit
High severity
Missing HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) acts as a "security seatbelt," forcing browsers to refuse all insecure HTTP connections to your domain for a set period.
Business risk
Without HSTS, you are susceptible to "SSL Stripping." An attacker on a coffee shop Wi-Fi can transparently downgrade your users from HTTPS to HTTP, intercepting passwords and session cookies. HSTS prevents this by hard-coding the HTTPS requirement in the browser cache.
Technical details
Pro Tip: Start with a short `max-age` (e.g., 300 seconds) to test. If you deploy a broken HTTPS config with `max-age=2years`, you will brick your site for all previous visitors until the cache expires. HSTS requires a valid certificate on the initial connection to be trusted.
How to detect it
HSTS is either present in the Strict-Transport-Security response header on HTTPS responses or it is not. Check the apex and every subdomain you care about - scanners only read what the server actually returns.
Read the header
curl -sI https://yourdomain.com | grep -i strict-transport-securityCheck the WWW subdomain
curl -sI https://www.yourdomain.com | grep -i strict-transport-securityConfirm preload eligibility
https://hstspreload.org/?domain=yourdomain.comCommon pitfalls
- Shipping `max-age=63072000` on day one. If your HTTPS config is broken and you find out later, returning visitors are locked out until the cache expires. Ramp from 300 to 86400 to 31536000 to 63072000 over a few weeks.
- Forgetting `includeSubDomains` when you own every subdomain. A single cleartext `legacy.yourdomain.com` becomes an SSL-stripping bypass if subdomains are not covered.
- Submitting to the preload list before the policy is stable. Preload removal takes weeks to months. Verify `max-age` is at least 31536000 with `includeSubDomains` and `preload` before submission.
- Setting HSTS on HTTP responses. Browsers only record the directive from HTTPS responses with a valid cert. Serving it on plaintext HTTP does nothing.
- Dropping the `Strict-Transport-Security` header on redirects. The final HTTPS response must carry it, but the redirect chain should also avoid advertising HTTP-only resources.
Remediation guide
External references
Frequently asked questions
What max-age value should I start with?
Start at 300 seconds (five minutes) and sit there for a day. Move to 86400 (one day) for a week. Then 31536000 (one year). Only set 63072000 (two years, the preload minimum) once you are confident the HTTPS config is stable across every endpoint.
Does HSTS require preload list submission?
No. HSTS via the header alone protects returning visitors. Preload submission protects the very first visit on a new device, which is the window where SSL stripping usually happens. Preload is strongly recommended but not required for the header to work.
What happens if my TLS certificate expires with HSTS active?
Users see a browser error with no option to click through, because HSTS disables the usual "Proceed Anyway" link. This is by design. Set up certificate monitoring and renewal automation before enabling HSTS with a long max-age.
Keep going
Related guide
Weak TLS Protocols Enabled (TLS 1.0 / 1.1)
High severity · Transport
Related guide
Mixed Content (Insecure Resources)
High severity · Transport
Related guide
Missing Content Security Policy (CSP)
High severity · Content
Deep guide
HSTS: A Complete, Rollback-Safe Setup Guide
The max-age ramp, subdomain audit and preload submission - in the order they won't burn you.
Free tool
HSTS Preload Checker
Test HSTS before you preload - because you only get to do it wrong once.
Verify your fix
Applied the configuration change? Run a live scan to confirm the vulnerability is patched.