Why does the "HSTS header" check matter?

Without HSTS, attackers can force visitors onto HTTP and intercept their data (downgrade attack). HSTS blocks this type of attack once the browser has remembered the rule.

Security Check n°4 / 120

HSTS header

Q: How to fix "HSTS header"?

**Apache**: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`. **Nginx**: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`. Start with `max-age=3600` (1 hour) to validate no subdomain causes issues, then switch to 31,536,000 (1 year) in production.

HSTS tells the browser: "This site must ALWAYS be visited over HTTPS, never HTTP". The browser remembers this and blocks any unsecured acces…

Analyse my site for free

← All checks

What is it?

Understanding "HSTS header"

HSTS (HTTP Strict Transport Security) is an HTTP header that instructs the browser to only access the site over HTTPS, even if the user types http:// or clicks an HTTP link. The browser memorises this instruction for the duration specified by the max-age parameter (in seconds). On all subsequent visits, the browser converts HTTP → HTTPS locally, before even sending the request to the network.

Without HSTS, even with a 301 redirect configured on the server, a visitor's very first request is sent in HTTP before being redirected. This first request is vulnerable to an SSL stripping attack, where an attacker intercepts the HTTP connection and presents a fake unencrypted version of the site.

❌ Without HSTS — first visit interceptable

Types http://

→ HTTP request sent →

🕵️ SSL Stripping

→ unencrypted site presented

✅ With HSTS (max-age=31,536,000)

Types http://

→ browser converts to https:// locally →

🔒 Direct HTTPS connection

✓ No HTTP request ever leaves the device

How we check it

How TheSiteFuse checks "HSTS header"

TheSiteFuse retrieves the HTTP response headers from the homepage (over HTTPS) and looks for the Strict-Transport-Security header. The check verifies the header is present and that the max-age value is long enough (minimum 1 month recommended, 1 year ideal). The presence of includeSubDomains is noted but not required for the check to pass.

Risks if it fails

Why "HSTS header" matters

Without HSTS, your site remains vulnerable even with HTTPS enabled and a 301 redirect configured:

SSL stripping attack — an attacker between the visitor and your server can intercept the initial HTTP request and maintain an unencrypted connection, presenting a plaintext version of the site without the visitor realising it.
Redirect bypass — if a user types http://yoursite.com directly, their initial request travels in plaintext before being redirected.
Cookie exposure — without HSTS, an attacker can force an HTTP request to your domain, capturing any cookies not marked Secure.

How to fix

Fix "HSTS header" step by step

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Recommended max-age values

max-age=86400 — 1 day (initial test)
max-age=604800 — 1 week (progressive rollout)
max-age=31536000 — 1 year (recommended production)

Warning: start with 1 day and increase progressively.

Verify

curl -I https://yoursite.com | grep -i strict

Learn more

Reference resource

To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.

Wikipedia — HSTS header

Does your site pass this check?

Run the free full audit (120 checks) and instantly discover what needs fixing.

Previous HTTP → HTTPS redirect Next HSTS Preload List