P1 · HighSecurity

Missing HSTS

No Strict-Transport-Security header

Code: missing_hsts

Why it matters

No Strict-Transport-Security header. Browsers and users expect sites to be secure. Missing protections expose visitors to data theft, phishing, and loss of trust.

How to fix

Add Strict-Transport-Security header

http

# Nginx — add inside your server {} block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# Apache — add to .htaccess or <VirtualHost>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Related checks in Security

SSL certificate expired

HTTPS certificate has expired

Certificate expiring soon

Certificate expires in < 7 days

Certificate expiring

Certificate expires in < 30 days

No HTTPS redirect

HTTP does not redirect to HTTPS

Mixed content

HTTPS page loads HTTP resources

Run a free scan to check your site

Get a complete audit in under 2 minutes. No account required.

Start Free Scan