Skip to main content

Fix Guides

How to Fix Missing HSTS (Strict-Transport-Security)

Force browsers to only ever connect to your site over HTTPS.

Quick fix

To fix missing HSTS, add the response header Strict-Transport-Security: max-age=31536000; includeSubDomains once your whole site (and all subdomains) works over HTTPS. Set it in your server, CDN or framework, then re-scan to confirm it is present.

A missing HSTS header means browsers can still be tricked into connecting to your site over insecure HTTP, even after you have installed HTTPS. Adding the Strict-Transport-Security header tells browsers to use HTTPS only, closing the gap. This guide shows exactly how, on every major platform.

Check your website

See how your site handles how to fix missing hsts (strict-transport-security) — free, no account needed.

Business impact

Without HSTS, a visitor's first request can be intercepted and downgraded to HTTP before your redirect kicks in — a real risk on public Wi-Fi. That undermines the security customers assume when they see your padlock. HSTS is a small header that meaningfully strengthens trust and is expected by security-conscious users and auditors.

Why this happens

HSTS is usually missing simply because it is not enabled by default — HTTPS works without it, so it is easy to overlook. Common causes: the header was never added to server or CDN config; it is set on the homepage but not site-wide; or HTTPS is not yet consistent across all subdomains, so enabling it safely was deferred. HSTS only takes effect over HTTPS and is ignored on plain HTTP.

How to confirm the issue

Manually: open your browser DevTools → Network tab, reload your site, click the document request and look for strict-transport-security under Response Headers. Or run curl -I https://yoursite.com and check for the header.

With Plexa Trust: run a free scan and look for the "Missing Strict-Transport-Security" finding. After you deploy the fix, re-scan — the finding should clear.

Step-by-step fix

  1. Confirm HTTPS works everywhere first, including every subdomain.

  2. Add the header Strict-Transport-Security: max-age=31536000; includeSubDomains.

  3. Start with a shorter max-age (e.g. 86400) if you want to test, then raise it.

  4. Only add preload once you are certain every subdomain is HTTPS — it is hard to reverse.

  5. Deploy, then re-scan to confirm the header is present on all pages.

Platform-specific fixes

Cloudflare

  1. Go to SSL/TLS → Edge Certificates.

  2. Scroll to HTTP Strict Transport Security (HSTS) and click Enable HSTS.

  3. Set Max-Age to 12 months and enable Include Subdomains once all subdomains use HTTPS.

  4. Only enable Preload when you are certain. Save.

Apache

Add to your virtual host or .htaccess (requires mod_headers):

  1. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

  2. Reload Apache: sudo systemctl reload apache2.

Nginx

Inside the HTTPS server { } block:

  1. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  2. Test config: sudo nginx -t, then reload: sudo systemctl reload nginx.

WordPress

If you cannot edit server config, use a plugin.

  1. Install a security headers plugin (e.g. Really Simple SSL or a headers plugin).

  2. Enable the HSTS / Strict-Transport-Security option.

  3. Confirm HTTPS is forced site-wide first.

Vercel / Netlify

Set headers in your config file.

  1. Vercel: add a headers entry in vercel.json for Strict-Transport-Security.

  2. Netlify: add the header to netlify.toml or _headers.

  3. Redeploy the site.

How to verify the fix

  • Re-scan with Plexa Trust and confirm "Missing Strict-Transport-Security" is cleared.

  • Check the header appears on multiple pages, not just the homepage.

  • Verify with curl -I https://yoursite.com that max-age is present.

Common mistakes

  • Enabling preload before every subdomain is HTTPS, locking users out.

  • Setting HSTS on HTTP responses (it is ignored there).

  • Adding it only to the homepage instead of site-wide.

Frequently asked questions

What does HSTS actually do?

It tells browsers to only connect to your domain over HTTPS for a set period, so they never even attempt insecure HTTP — preventing downgrade attacks.

What max-age should I use?

One year (31536000 seconds) is standard once you are confident. Use a shorter value while testing so mistakes expire quickly.

Is HSTS preload safe?

Preload is powerful but hard to undo — your domain gets hard-coded into browsers as HTTPS-only. Only submit it once every subdomain reliably serves HTTPS.

Will HSTS break my HTTP site?

It only applies after a browser has seen it over HTTPS. If some content is still HTTP-only, fix that first or it will become unreachable.

Does includeSubDomains matter?

It extends the policy to every subdomain. Only use it when all subdomains support HTTPS, otherwise they may become inaccessible.

How do I remove HSTS if I made a mistake?

Set max-age=0 and serve it over HTTPS so browsers clear the policy. Preloaded domains require removal from the preload list, which takes time.

Where should I set the header?

At the earliest point that covers all responses — usually your CDN, web server or framework middleware — so it applies site-wide.

How do I confirm it worked?

Re-scan with Plexa Trust and check the header via DevTools or curl. The "Missing Strict-Transport-Security" finding should disappear.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring