high HTTP Headers

Missing HSTS Header

The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.

Severity
high
Time to Fix
15 minutes
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration

What is Missing HSTS Header?

HSTS (HTTP Strict Transport Security) is a response header that tells browsers to only connect to your site over HTTPS for a specified period (typically 1 year). Without HSTS, a man-in-the-middle attacker on an untrusted network (coffee shop Wi-Fi, hotel network) can intercept the first HTTP request and redirect the user to a malicious copy of your site. Modern browsers support HSTS, but it must be explicitly enabled by the server.

Why It Matters to Your Business

A missing HSTS header exposes users to SSL stripping attacks on untrusted networks. If a user connects to your site from a public Wi-Fi network, an attacker can downgrade the connection to HTTP and intercept credentials, session cookies, or payment data. This can lead to account takeover, regulatory fines under GDPR, and loss of customer trust.

How to Fix It

Add the following header to your web server's HTTPS responses:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

For Nginx, add to your server block:
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

For Apache, add to your VirtualHost:
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

For Laravel, add to your middleware:
  $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-319: Cleartext Transmission of Sensitive Information
Detected Byheaders, security_features scanner(s)
Severity Levelhigh

Check if your website has this vulnerability

Our headers, security_features scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities