What the issue means
A missing Strict-Transport-Security header means browsers are not instructed to always use HTTPS for future visits.
Security fix guide
How to Fix a Missing HSTS Header
A missing Strict-Transport-Security header means browsers are not instructed to always use HTTPS for future visits.
Run Full Website Security ScanWhy it matters
HSTS helps prevent protocol downgrade and accidental HTTP access after the first secure visit.
How to check it
Look for Strict-Transport-Security in HTTPS responses.
How to fix it
Serve HTTPS everywhere, then add HSTS with a safe max-age. Add includeSubDomains and preload only when ready.
Configuration examples
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Vercel / Next.js
headers: async () => [{ source: "/(.*)", headers: [{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" }] }]Cloudflare
Enable HSTS from SSL/TLS Edge Certificates only after confirming HTTPS works on all subdomains.