Medium severity

How to fix a missing Strict-Transport-Security (HSTS) header

Your site is missing a Strict-Transport-Security (HSTS) header. HSTS tells browsers to only ever connect to your domain over HTTPS, even if a user types `http://` or clicks an old link. Without it, an attacker on a public Wi-Fi network can downgrade the connection and read or modify traffic. Fix it with one response header: `Strict-Transport-Security: max-age=31536000; includeSubDomains`. Add it in your framework config or at the CDN level.

Why it matters

HSTS defends against SSL-stripping attacks, which are trivial to run on open Wi-Fi. Even if your site redirects http → https, that redirect itself happens over HTTP the first time and can be hijacked. HSTS tells the browser to skip the HTTP step forever after the first visit.

How to check

  1. 01Open DevTools → Network → reload → click the document request.
  2. 02Look for `strict-transport-security` under Response Headers.
  3. 03Confirm `max-age` is at least 15552000 (180 days).
  4. 04Without `includeSubDomains`, subdomains are still vulnerable.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Add HSTS alongside other headers in next.config.js.

headers: [{
  key: 'Strict-Transport-Security',
  value: 'max-age=31536000; includeSubDomains'
}]

Vercel

Vercel auto-enables HSTS on custom domains, but apps on *.vercel.app need the header set explicitly.

{
  "key": "Strict-Transport-Security",
  "value": "max-age=31536000; includeSubDomains"
}

Generic

Send this header on every HTTPS response. Never send it over HTTP.

Strict-Transport-Security: max-age=31536000; includeSubDomains

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Add a Strict-Transport-Security header to my app with max-age of one year and includeSubDomains. Make sure it only goes out on HTTPS responses. If my framework supports per-route headers, apply it globally. Tell me how to verify it in DevTools after deploying.

FAQ

Frequently asked questions

What if I don't have HTTPS yet?
Get HTTPS first. Vercel, Netlify, and Cloudflare all provision free certificates automatically. Setting HSTS without a working certificate will lock users out of your site.
Should I preload HSTS?
Only after you are certain HTTPS works on every subdomain. Preload is submitted to browser makers and is painful to reverse. Start with max-age=31536000 for a month, then consider preload.
Does this protect against phishing domains?
No — HSTS only protects your own domain. It does not help against typosquatting or phishing sites. For that, use DMARC for email and a trademark registration.

Related fix guides

Fix these too

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Read more

Expired SSL certificate

An expired certificate breaks your site — browsers show a big red warning. Here is how to renew and set up auto-renewal.

Read more

Learn the concepts

Glossary

HTTP Strict Transport Security

HSTS is an HTTP response header that tells browsers to only connect to your site over HTTPS, even if a user types `http://`. It stops SSL stripping attacks.

Read more

SSL / TLS

The encryption protocols that power HTTPS. TLS 1.2 and 1.3 are current; older versions are deprecated.

Read more

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Read more

Free tools

Check this yourself

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Read more

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.

Read more

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Read more

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Read more

Lovable security

Lovable makes it easy to ship fast, but AI-generated backends often ship with open Supabase tables and leaked API keys. Scan your Lovable app before your users find out.

Read more

Bolt security

Bolt generates full-stack apps in seconds, but speed can leave security gaps. Exposed environment files and missing CORS configuration are common in Bolt projects.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.