Skip to content

Fix Missing HSTS Strict-Transport-Security Header

DodaTech Updated 2026-06-26 2 min read

In this tutorial, you'll learn about Fix Missing HSTS Strict. We cover key concepts, practical examples, and best practices.

Your security audit reports the Strict-Transport-Security header is missing from all HTTPS responses. Without HSTS, an attacker on the same network can downgrade the user's connection from HTTPS to HTTP using an SSL stripping attack, intercepting all data including passwords and cookies.

Wrong

The server sends no Strict-Transport-Security header.

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    location / {
        proxy_pass http://localhost:3000;
    }
}

Response headers:

HTTP/2 200 OK
Content-Type: text/html
Content-Length: 4521

The browser receives no HSTS instruction. Each new visit or browser restart starts with HTTP, which an attacker can intercept:

User types example.com → Attacker intercepts → Serves HTTP page
                      → Captures credentials → Forwards to HTTPS server
                      → User never knows

Add the Strict-Transport-Security header with an appropriate max-age.

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        proxy_pass http://localhost:3000;
    }
}

Response headers:

HTTP/2 200 OK
Content-Type: text/html
Content-Length: 4521
Strict-Transport-Security: max-age=31536000; includeSubDomains

Apache:

<VirtualHost *:443>
    ServerName example.com
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>

Express with helmet:

const helmet = require('helmet');
app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true,
  preload: true,
}));

Verify with curl:

curl -s -I https://example.com | grep Strict-Transport-Security
Strict-Transport-Security: max-age=31536000; includeSubDomains

Prevention

  • Add the Strict-Transport-Security header to all HTTPS responses using the web server configuration.
  • Use always in nginx and always in Apache to ensure the header is sent even on error pages and redirects.
  • Start with a short max-age (e.g., 300 for testing) and increase to 31536000 for production.
  • Include includeSubDomains once all subdomains support HTTPS.
  • Test the header with curl -I, securityheaders.com, or SSL Labs before deploying to production.
  • Redirect all HTTP traffic to HTTPS before setting HSTS to avoid mixed content issues.

DodaTech Tools

Doda Browser provides a security audit panel that flags missing HSTS headers and recommends configuration steps. DodaZIP's deployment pipeline includes an automated HSTS header check before promoting builds to production. Durga Antivirus Pro refused to connect to domains without HSTS during its cloud health checks and reports them as security risks.

FAQ

### How do I check if my site has HSTS enabled?

Use curl -s -I https://example.com | grep Strict-Transport-Security. If the header is present, the value shows your configuration. Online tools like securityheaders.com and SSL Labs provide comprehensive security header reports including HSTS status and preload eligibility.

What is the immediate risk of not having HSTS?

Without HSTS, users visiting your site over HTTP for the first time or after clearing their browser cache are vulnerable to an SSL stripping attack. An attacker on the same Wi-Fi network can intercept the initial HTTP request, maintain the connection over HTTP, and capture all data including login credentials, session cookies, and personal information.

Can I deploy HSTS on an existing HTTPS site without downtime?

Yes. Deploy HSTS gradually: first with a short max-age (5 minutes) and no includeSubDomains. Monitor for issues over a few days. Increase max-age to 1 week, then 1 month, then 1 year. Once you are confident all subdomains support HTTPS, add includeSubDomains. Optionally submit to the preload list after a month of stable operation.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro