SEOLZ

Hsts disabled

Quick win

Enable HTTP Strict-Transport-Security (HSTS) by setting a max-age of at least 31536000 seconds (one year) so browsers always use HTTPS when visiting your store.

What it is

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to a visitor's browser. It tells the browser: "For the next X seconds, never connect to this site over plain HTTP — always use HTTPS, no exceptions." When HSTS is disabled or set to `max-age=0`, that instruction is removed and the browser is free to make unencrypted HTTP requests. HSTS is a one-line server response header, not a code change, but it has a significant impact on how securely shoppers connect to your store.

Why it matters

Without HSTS, even if your store has an SSL certificate, a customer could still land on an unencrypted HTTP version of your site — either by typing your address without "https://" or by following an old link. That window is enough for an attacker on the same network (e.g. a coffee-shop Wi-Fi) to intercept login credentials, session cookies, or payment-related data in a "man-in-the-middle" attack. Google treats HTTPS as a ranking signal and flags insecure sites in Chrome, so a missing or zeroed-out HSTS header can hurt both your search rankings and customer trust. Regulations such as PCI-DSS (required for stores handling card data) explicitly expect transport-layer protections like HSTS to be in place, and failure to comply can result in fines or loss of the ability to accept card payments.

How to fix it

  1. Confirm your store is fully on HTTPS and all pages, assets, and subdomains load correctly over HTTPS before enabling HSTS — enabling it on a broken HTTPS setup can lock visitors out.
  2. Locate where your server sends HTTP response headers (your CDN, load balancer, reverse proxy such as Nginx or Apache, or your hosting platform's security settings).
  3. Add or update the Strict-Transport-Security header to: `Strict-Transport-Security: max-age=31536000; includeSubDomains` (the value 31536000 equals one year in seconds).
  4. Optionally append `; preload` to the header value and submit your domain to hstspreload.org to have it hard-coded into browsers — only do this after you are confident all subdomains will remain on HTTPS permanently.
  5. Deploy the change and verify it using your browser's developer tools (Network tab → inspect the response headers of any page) or a tool like securityheaders.com.
  6. Monitor for any mixed-content warnings after deployment; fix any remaining HTTP asset references so the header does not break anything.
Strict-Transport-Security: max-age=31536000; includeSubDomains

Fix it on your platform

Pick your platform for the exact steps.

How to fix hsts disabled on Shopify
  1. Shopify automatically enforces HTTPS and injects the HSTS header with `max-age=31536000; includeSubDomains; preload` for all storefronts on the shopify.com infrastructure — no manual configuration is needed.
  2. If you use a custom domain, go to Shopify Admin → Online Store → Domains, ensure your custom domain shows a green padlock, and toggle 'Redirect all traffic to this domain' ON — Shopify then manages HSTS for that domain.
  3. If you use Shopify Plus with a custom reverse proxy or edge configuration (e.g. Cloudflare), set the HSTS header in your CDN/proxy layer as described in the Cloudflare or proxy steps below.
Full Shopify guide →Official Shopify docs ↗
How to fix hsts disabled on Shopify Plus
  1. Shopify Plus storefronts served directly through Shopify's infrastructure inherit the same automatic HSTS settings as standard Shopify.
  2. For headless/custom-domain setups routed through Cloudflare or another CDN, configure HSTS in that CDN layer: Cloudflare → your domain → SSL/TLS → Edge Certificates → enable 'HTTP Strict Transport Security (HSTS)' and set max-age to 12 months with 'Include subdomains' ON.
  3. Verify the deployed header via browser DevTools (F12) → Network → click any page request → Response Headers → confirm Strict-Transport-Security is present with max-age ≥ 31536000.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix hsts disabled on WooCommerce
  1. WooCommerce runs on WordPress, so HSTS is set at the server or plugin level, not within WooCommerce itself.
  2. Plugin approach (recommended for non-technical owners): Install the 'Headers Security Advanced & HSTS WP' plugin (or 'WP Force SSL & HTTPS SSL Redirect' which includes HSTS settings) from WordPress Admin → Plugins → Add New. In the plugin settings, enable HSTS and set max-age to 31536000 with 'Include Subdomains' checked.
  3. Server approach (Nginx): Edit your site's Nginx config (usually in /etc/nginx/sites-available/yourdomain.conf) inside the `server { }` block for port 443 and add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` then run `nginx -t` and `systemctl reload nginx`.
  4. Server approach (Apache): Add `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` to your VirtualHost block in your .conf file or .htaccess, then restart Apache.
  5. If hosted on WP Engine, Kinsta, or SiteGround, check their control panel for a 'Security Headers' or 'HSTS' toggle, or contact their support to enable it at the server level.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix hsts disabled on WordPress.org
  1. Install a security headers plugin such as 'Headers Security Advanced & HSTS WP' or 'Solid Security (iThemes Security)' from WordPress Admin → Plugins → Add New.
  2. In the plugin's settings panel, find the HSTS or Security Headers section and enable Strict-Transport-Security with max-age set to 31536000 and 'Include Subdomains' enabled.
  3. Alternatively, add the header directly in your theme's functions.php (child theme recommended): `add_action('send_headers', function(){ header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); });`
  4. For server-level control, edit your Nginx or Apache config as described in the WooCommerce steps above — this is the most reliable method.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix hsts disabled on BigCommerce
  1. BigCommerce's SaaS infrastructure enforces HTTPS on all storefronts and sets HSTS headers automatically for stores on bigcommerce.com subdomains.
  2. For custom domains, go to BigCommerce Admin → Store Setup → Domain Settings and ensure your SSL certificate is active (BigCommerce provides a free Let's Encrypt cert). The platform then manages HSTS for that domain.
  3. If you use a CDN or reverse proxy in front of BigCommerce (e.g. Cloudflare), enable HSTS in the CDN layer: Cloudflare → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → enable with max-age 12 months and Include Subdomains ON.
  4. Verify by opening DevTools → Network → any page request → Response Headers for Strict-Transport-Security.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix hsts disabled on Wix
  1. Wix manages SSL and HSTS for all sites hosted on Wix infrastructure — you cannot and do not need to set it manually for wixsite.com domains.
  2. For a connected custom domain, Wix automatically provisions SSL and sends HSTS headers. Ensure SSL is enabled: Wix Dashboard → Settings → Custom Domain → confirm the SSL toggle is ON.
  3. If you have a custom domain routed through Cloudflare, verify HSTS is set in Cloudflare → SSL/TLS → Edge Certificates → enable HSTS with max-age ≥ 31536000.
  4. Wix does not expose raw HTTP header configuration — if a security scanner still reports HSTS missing on your Wix site, contact Wix Support and reference that your HSTS header is absent or set to max-age=0.
Full Wix guide →Official Wix docs ↗
How to fix hsts disabled on Squarespace
  1. Squarespace automatically enables SSL and sets HSTS headers for all sites — no manual configuration is available or required for sites hosted on Squarespace infrastructure.
  2. Ensure SSL is active: Squarespace Admin → Settings → Advanced → SSL and set to 'Secure (Preferred)' or 'Secure Only'.
  3. If 'Secure Only' is selected, Squarespace forces HTTPS redirects and maintains appropriate transport security headers.
  4. If a scanner still reports HSTS as disabled, ensure you are not using a legacy Squarespace version 7.0 plan with a custom proxy; contact Squarespace Support to investigate.
Full Squarespace guide →Official Squarespace docs ↗
How to fix hsts disabled on Webflow
  1. Webflow automatically provisions SSL and sets HSTS headers for all sites published to Webflow Hosting — no manual action is needed for webflow.io or connected custom domains.
  2. Ensure your site is published to Webflow Hosting (not self-hosted export): Webflow Designer → Publish → Webflow subdomain or your custom domain.
  3. For custom domains, go to Webflow Dashboard → Project Settings → Publishing → Custom Domain, confirm SSL is active (green padlock shown).
  4. If you export and self-host Webflow code on your own server, add the HSTS header in your Nginx or Apache config as described in the WooCommerce server steps above.
Full Webflow guide →Official Webflow docs ↗
How to fix hsts disabled on Adobe Commerce (Magento)
  1. In Adobe Commerce Admin, go to Stores → Configuration → General → Web → Base URLs (Secure) and ensure all base URLs use https://. Set 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' both to Yes.
  2. Add the HSTS header at the web server level — this is the most reliable method for Magento/Adobe Commerce deployments.
  3. Nginx: In your Magento nginx.conf or the server block for your domain (typically /etc/nginx/sites-available/magento.conf), inside the `server { listen 443; }` block add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` then reload Nginx.
  4. Apache: In your VirtualHost block for port 443 in your .conf file or in pub/.htaccess add: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` and restart Apache.
  5. If hosted on Adobe Commerce Cloud (Magento Cloud), add the header in your .magento.app.yaml under web.locations headers or use a Fastly VCL snippet in the Fastly configuration panel within the Admin under Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix hsts disabled on Magento Open Source
  1. Follow the same Nginx or Apache server-level steps as Adobe Commerce above — add `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your Nginx server block or `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` in Apache.
  2. In Magento Admin, confirm Stores → Configuration → General → Web → Secure → Use Secure URLs = Yes for both storefront and admin.
  3. If using a shared hosting control panel (cPanel), look for an 'HSTS' toggle under Security → SSL/TLS Status or use the .htaccess method.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix hsts disabled on PrestaShop
  1. In PrestaShop Admin, go to Shop Parameters → General and enable 'Force HTTPS for all pages' — this enables redirects but does not itself set the HSTS header.
  2. Add the HSTS header at the server level: for Nginx add `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block; for Apache add `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` in your VirtualHost or .htaccess.
  3. Alternatively, add it in PrestaShop's .htaccess file in the root directory (Apache only), after the existing security headers section.
  4. Verify via browser DevTools after deployment.
Full PrestaShop guide →Official PrestaShop docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find hsts disabled — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Hsts disabled?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to a visitor's browser. It tells the browser: "For the next X seconds, never connect to this site over plain HTTP — always use HTTPS, no exceptions." When HSTS is disabled or set to `max-age=0`, that instruction is removed and the browser is free to make unencrypted HTTP requests. HSTS is a one-line server response header, not a code change, but it has a significant impact on how securely shoppers connect to your store.

Why does hsts disabled matter?

Without HSTS, even if your store has an SSL certificate, a customer could still land on an unencrypted HTTP version of your site — either by typing your address without "https://" or by following an old link. That window is enough for an attacker on the same network (e.g. a coffee-shop Wi-Fi) to intercept login credentials, session cookies, or payment-related data in a "man-in-the-middle" attack. Google treats HTTPS as a ranking signal and flags insecure sites in Chrome, so a missing or zeroed-out HSTS header can hurt both your search rankings and customer trust. Regulations such as PCI-DSS (required for stores handling card data) explicitly expect transport-layer protections like HSTS to be in place, and failure to comply can result in fines or loss of the ability to accept card payments.

How do I fix hsts disabled?

Enable HTTP Strict-Transport-Security (HSTS) by setting a max-age of at least 31536000 seconds (one year) so browsers always use HTTPS when visiting your store.

Authoritative references

Related Security (OWASP) issues