Security headers · Check

Weak HSTS — short max-age or missing includeSubDomains, and how to harden it

An HSTS header with a short max-age or no includeSubDomains directive only partly protects users. Browsers may forget the policy quickly, or sibling subdomains may stay downgradeable.

Real-world risk

Short max-age or missing includeSubDomains means browsers forget or child hosts stay downgradeable.

Fix steps (in order)

Increase max-age to at least one year for production once validated.
Add includeSubDomains when all subdomains are HTTPS-ready.

Topic explainer

What is HSTS? HTTP Strict Transport Security explained →

How HSTS works, why the bootstrap window matters, what max-age and includeSubDomains do, and when (or whether) to submit your domain to the browser preload list.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (weak_hsts) clears once the externally-observable signal is in place.

Run a free scan Methodology

Loading…

Cookies and privacy

We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.

Weak HSTS — short max-age or missing includeSubDomains, and how to harden it · Scorifya