Security headers · Check

HSTS missing — what HTTP Strict Transport Security is and how to fix it

Strict-Transport-Security (HSTS) tells browsers to only ever load your site over HTTPS, even if a user types http:// or follows a stale link. Without it, the very first request — or any rare http:// request — can be intercepted on hostile networks.

Why it matters

Most session-stealing attacks rely on a downgrade or a single plaintext request. HSTS removes that escape hatch entirely once the browser has cached the policy.

Real-world risk

First visits or bookmarked http:// links can hit plaintext; SSLstrip-style attacks remain plausible on hostile networks.

Fix steps (in order)

On HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains
Roll out gradually if subdomains need HTTP, then widen includeSubDomains when safe.

Example configurations

Patterns for common stacks. Set headers at your CDN, load balancer, or origin as appropriate.

nginx (server / location) · nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# If TLS terminates at a CDN, set the header there instead.

Express (helmet) · typescript

import helmet from "helmet";
app.use(helmet.hsts({ maxAge: 31_536_000, includeSubDomains: true }));

Apache (vhost) · apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Topic explainer

What is HSTS? HTTP Strict Transport Security explained →

How HSTS works, why the bootstrap window matters, what max-age and includeSubDomains do, and when (or whether) to submit your domain to the browser preload list.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_hsts) clears once the externally-observable signal is in place.

Run a free scan Methodology