Missing HSTS Header

What This Means

URLs that are missing the HSTS response header. The HTTP Strict-Transport-Security response header (HSTS) instructs browsers that it should only be accessed using HTTPS, rather than HTTP. If a website accepts a connection to HTTP, before being redirected to HTTPS, visitors will initially still communicate over HTTP. The HSTS header instructs the browser to never load over HTTP and to automatically convert all requests to HTTPS.

What Triggers This Issue

This issue is triggered when a URL is missing the HSTS response header. For example: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

How To Fix

The HSTS header should be used across all pages to instruct the browser that it should always request pages via HTTPS, rather than HTTP.

← Back to Security