Missing HSTS Header
The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
What is Missing HSTS Header?
HSTS (HTTP Strict Transport Security) is a response header that tells browsers to only connect to your site over HTTPS for a specified period (typically 1 year). Without HSTS, a man-in-the-middle attacker on an untrusted network (coffee shop Wi-Fi, hotel network) can intercept the first HTTP request and redirect the user to a malicious copy of your site. Modern browsers support HSTS, but it must be explicitly enabled by the server.
Why It Matters to Your Business
A missing HSTS header exposes users to SSL stripping attacks on untrusted networks. If a user connects to your site from a public Wi-Fi network, an attacker can downgrade the connection to HTTP and intercept credentials, session cookies, or payment data. This can lead to account takeover, regulatory fines under GDPR, and loss of customer trust.
How to Fix It
Add the following header to your web server's HTTPS responses:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
For Nginx, add to your server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
For Apache, add to your VirtualHost:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
For Laravel, add to your middleware:
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-319: Cleartext Transmission of Sensitive Information |
| Detected By | headers, security_features scanner(s) |
| Severity Level | high |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our headers, security_features scanner checks for this issue automatically.
Scan My Website FreeRelated Vulnerabilities
Missing Content-Security-Policy Header
No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
Missing X-Frame-Options Header (Clickjacking)
The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
Insecure Cookie Configuration
Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.
CORS Misconfiguration
The server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.