All fix guides

How to add a strong HSTS header

Tell browsers to only ever connect to your site over HTTPS, closing the gap before the redirect.

What it is

HTTP Strict Transport Security is a response header (`Strict-Transport-Security`) that tells browsers to force HTTPS for your domain for a set period.

Why it matters

Even with a redirect, the very first request of a session can go over http and be hijacked. HSTS removes that window — after one secure visit, the browser refuses http entirely.

How to fix it

  1. 1Add the header: `Strict-Transport-Security: max-age=31536000; includeSubDomains`.
  2. 2Use a max-age of at least 6 months (15552000); 1 year (31536000) is standard.
  3. 3Add `includeSubDomains` only once every subdomain is HTTPS-ready.
  4. 4Optionally add `preload` and submit to hstspreload.org to bake it into browsers.
  5. 5Re-scan to confirm a strong HSTS policy is present.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy