Fix Guide
How to Fix a Missing HSTS Header
The HTTPS response does not include Strict-Transport-Security.
Recommended fix
Add HSTS after confirming all canonical site traffic works over HTTPS.
This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.
Developer task
Set Strict-Transport-Security at the CDN, load balancer, Nginx, Apache, or app server layer.
Implementation steps
How to apply this fix
- Confirm every canonical hostname and subdomain works reliably over HTTPS.
- Add Strict-Transport-Security with a short max-age first to validate behavior.
- Once stable, raise max-age to a year and consider includeSubDomains and preload.
- Set the header at the CDN/load balancer/Nginx/Apache layer and re-scan to confirm.
Verify
Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.
Related guides