How to fix hsts disabled on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. In Adobe Commerce Admin, go to Stores → Configuration → General → Web → Base URLs (Secure) and ensure all base URLs use https://. Set 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' both to Yes.
2. Add the HSTS header at the web server level — this is the most reliable method for Magento/Adobe Commerce deployments.
3. Nginx: In your Magento nginx.conf or the server block for your domain (typically /etc/nginx/sites-available/magento.conf), inside the `server { listen 443; }` block add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` then reload Nginx.
4. Apache: In your VirtualHost block for port 443 in your .conf file or in pub/.htaccess add: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` and restart Apache.
5. If hosted on Adobe Commerce Cloud (Magento Cloud), add the header in your .magento.app.yaml under web.locations headers or use a Fastly VCL snippet in the Fastly configuration panel within the Admin under Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration.

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts disabled?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to a visitor's browser. It tells the browser: "For the next X seconds, never connect to this site over plain HTTP — always use HTTPS, no exceptions." When HSTS is disabled or set to `max-age=0`, that instruction is removed and the browser is free to make unencrypted HTTP requests. HSTS is a one-line server response header, not a code change, but it has a significant impact on how securely shoppers connect to your store.

Without HSTS, even if your store has an SSL certificate, a customer could still land on an unencrypted HTTP version of your site — either by typing your address without "https://" or by following an old link. That window is enough for an attacker on the same network (e.g. a coffee-shop Wi-Fi) to intercept login credentials, session cookies, or payment-related data in a "man-in-the-middle" attack. Google treats HTTPS as a ranking signal and flags insecure sites in Chrome, so a missing or zeroed-out HSTS header can hurt both your search rankings and customer trust. Regulations such as PCI-DSS (required for stores handling card data) explicitly expect transport-layer protections like HSTS to be in place, and failure to comply can result in fines or loss of the ability to accept card payments.

See the complete Hsts disabled guide for every platform and the full background.