Security

HSTS Header Missing

Last updated: April 2026

Your site is missing the Strict-Transport-Security header. Without it, browsers may connect over HTTP before being redirected to HTTPS, leaving users vulnerable to downgrade attacks.

Scan your headers live →

Fix for Nginx

server {
    listen 443 ssl;
    # Start with short max-age, increase after testing
    add_header Strict-Transport-Security "max-age=300" always;
}

Fix for Cloudflare

Dashboard → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS). Enable and set max-age to 300 initially.

Fix for Vercel

# vercel.json
{
  "headers": [{ "source": "/(.*)", "headers": [
    { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" }
  ]}]
}

Ramp up safely

Step 1: max-age=300          # 5 minutes — test HTTPS works
Step 2: max-age=86400         # 1 day — after confirming
Step 3: max-age=31536000      # 1 year — production value
Step 4: add includeSubDomains # only when all subdomains are HTTPS
Step 5: add preload           # only after submitting to hstspreload.org

⚠ Never add preload without first submitting to hstspreload.org. Removing a domain from the preload list takes 6-12 months.