What if I don't have HTTPS yet?

Get HTTPS first. Vercel, Netlify, and Cloudflare all provision free certificates automatically. Setting HSTS without a working certificate will lock users out of your site.

Should I preload HSTS?

Only after you are certain HTTPS works on every subdomain. Preload is submitted to browser makers and is painful to reverse. Start with max-age=31536000 for a month, then consider preload.

Does this protect against phishing domains?

No — HSTS only protects your own domain. It does not help against typosquatting or phishing sites. For that, use DMARC for email and a trademark registration.

Medium severity · Vercel

Missing HSTS header on Vercel

Your site is missing a Strict-Transport-Security (HSTS) header. HSTS tells browsers to only ever connect to your domain over HTTPS, even if a user types `http://` or clicks an old link. Without it, an attacker on a public Wi-Fi network can downgrade the connection and read or modify traffic. Fix it with one response header: `Strict-Transport-Security: max-age=31536000; includeSubDomains`. Add it in your framework config or at the CDN level.

The fix for Vercel

Vercel

Vercel auto-enables HSTS on custom domains, but apps on *.vercel.app need the header set explicitly.

{
  "key": "Strict-Transport-Security",
  "value": "max-age=31536000; includeSubDomains"
}

Why it matters

HSTS defends against SSL-stripping attacks, which are trivial to run on open Wi-Fi. Even if your site redirects http → https, that redirect itself happens over HTTP the first time and can be hijacked. HSTS tells the browser to skip the HTTP step forever after the first visit.

Confirm the fix worked

Scan your Vercel site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

Add a Strict-Transport-Security header to my app with max-age of one year and includeSubDomains. Make sure it only goes out on HTTPS responses. If my framework supports per-route headers, apply it globally. Tell me how to verify it in DevTools after deploying.

FAQ

Frequently asked questions

What if I don't have HTTPS yet?: Get HTTPS first. Vercel, Netlify, and Cloudflare all provision free certificates automatically. Setting HSTS without a working certificate will lock users out of your site.
Should I preload HSTS?: Only after you are certain HTTPS works on every subdomain. Preload is submitted to browser makers and is painful to reverse. Start with max-age=31536000 for a month, then consider preload.
Does this protect against phishing domains?: No — HSTS only protects your own domain. It does not help against typosquatting or phishing sites. For that, use DMARC for email and a trademark registration.

Related fix guides

Fix these too

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Expired SSL certificate

An expired certificate breaks your site — browsers show a big red warning. Here is how to renew and set up auto-renewal.

Concepts

Spot-check this

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.