Fix Guide

How to Fix a Missing HSTS Header

The HTTPS response does not include Strict-Transport-Security.

Safe public URL scan. Results include technology evidence, SEO checks, security headers, accessibility basics, and a developer fix list.

Recommended fix

Add HSTS after confirming all canonical site traffic works over HTTPS.

This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.

Developer task

Set Strict-Transport-Security at the CDN, load balancer, Nginx, Apache, or app server layer.

Implementation steps

How to apply this fix

  1. Confirm every canonical hostname and subdomain works reliably over HTTPS.
  2. Add Strict-Transport-Security with a short max-age first to validate behavior.
  3. Once stable, raise max-age to a year and consider includeSubDomains and preload.
  4. Set the header at the CDN/load balancer/Nginx/Apache layer and re-scan to confirm.
Verify

Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.

Related guides

Continue the same website quality workflow.