Skip to main content
All SEO checks
Securitywarning

Missing HSTS header

What this check looks for

Checks whether the server sends a Strict-Transport-Security response header over HTTPS.

Why it matters

HSTS tells browsers to only ever connect to your site over HTTPS, which blocks protocol-downgrade and man-in-the-middle attacks that a plain http redirect can't prevent on the first request. It's part of the security posture that reflects a trustworthy, well-maintained site. Only enable it once every subdomain and asset is reliably served over HTTPS, since the policy is cached for the max-age you set.

How to fix it

nginx
# Send only over HTTPS; 2 years, cover subdomains, and be preload-eligible
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Go deeper

Check your site for this and 120+ other issues

Analyze any URL free