Medium impactSecurity

Missing HSTS Header

Without HSTS, users can be downgraded to HTTP on first visit. Here's how to add it safely.

What it means

The Strict-Transport-Security HTTP response header tells browsers to always use HTTPS for your domain.

Why it matters

Without HSTS, a man-in-the-middle attacker can intercept the first HTTP request before redirect. HSTS also slightly improves performance by skipping a redirect hop.

How to fix it

Add 'Strict-Transport-Security: max-age=31536000; includeSubDomains' to all HTTPS responses.
Once stable, add 'preload' and submit to hstspreload.org.
Verify with securityheaders.com.

Example

Before

<!-- no Strict-Transport-Security header -->

After

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Find this issue on your site automatically

FreeSEO scans for missing hsts header and 140+ other issues, free, no signup.

Run a free scan Explore all free SEO tools

Frequently asked questions

Will HSTS break anything?

Only if you go back to HTTP, once a browser receives HSTS, it refuses HTTP for max-age seconds.

Related issues

Site Serves HTTP Instead of HTTPS

HTTPS has been a Google ranking signal since 2014. Here's how to migrate fully and avoid mixed content.

Mixed Content Warnings

HTTP resources on HTTPS pages trigger browser warnings and break trust. Here's how to find and fix them all.