How do I fix hsts disabled on BigCommerce?

BigCommerce's SaaS infrastructure enforces HTTPS on all storefronts and sets HSTS headers automatically for stores on bigcommerce.com subdomains. For custom domains, go to BigCommerce Admin → Store Setup → Domain Settings and ensure your SSL certificate is active (BigCommerce provides a free Let's Encrypt cert). The platform then manages HSTS for that domain. If you use a CDN or reverse proxy in front of BigCommerce (e.g. Cloudflare), enable HSTS in the CDN layer: Cloudflare → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → enable with max-age 12 months and Include Subdomains ON. Verify by opening DevTools → Network → any page request → Response Headers for Strict-Transport-Security.

How to fix hsts disabled on BigCommerce

Enable HTTP Strict-Transport-Security (HSTS) by setting a max-age of at least 31536000 seconds (one year) so browsers always use HTTPS when visiting your store.

Steps for BigCommerce

BigCommerce's SaaS infrastructure enforces HTTPS on all storefronts and sets HSTS headers automatically for stores on bigcommerce.com subdomains.
For custom domains, go to BigCommerce Admin → Store Setup → Domain Settings and ensure your SSL certificate is active (BigCommerce provides a free Let's Encrypt cert). The platform then manages HSTS for that domain.
If you use a CDN or reverse proxy in front of BigCommerce (e.g. Cloudflare), enable HSTS in the CDN layer: Cloudflare → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → enable with max-age 12 months and Include Subdomains ON.
Verify by opening DevTools → Network → any page request → Response Headers for Strict-Transport-Security.

Official BigCommerce documentation ↗

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts disabled?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to a visitor's browser. It tells the browser: "For the next X seconds, never connect to this site over plain HTTP — always use HTTPS, no exceptions." When HSTS is disabled or set to `max-age=0`, that instruction is removed and the browser is free to make unencrypted HTTP requests. HSTS is a one-line server response header, not a code change, but it has a significant impact on how securely shoppers connect to your store.

Without HSTS, even if your store has an SSL certificate, a customer could still land on an unencrypted HTTP version of your site — either by typing your address without "https://" or by following an old link. That window is enough for an attacker on the same network (e.g. a coffee-shop Wi-Fi) to intercept login credentials, session cookies, or payment-related data in a "man-in-the-middle" attack. Google treats HTTPS as a ranking signal and flags insecure sites in Chrome, so a missing or zeroed-out HSTS header can hurt both your search rankings and customer trust. Regulations such as PCI-DSS (required for stores handling card data) explicitly expect transport-layer protections like HSTS to be in place, and failure to comply can result in fines or loss of the ability to accept card payments.

See the complete Hsts disabled guide for every platform and the full background.

Not sure if your BigCommerce store has this?

Run a free SEOLZ audit — we’ll find hsts disabled and every other issue across your whole site.

Scan my site free

How to fix hsts disabled on BigCommerce

Steps for BigCommerce

What is hsts disabled?

Not sure if your BigCommerce store has this?

Fix hsts disabled on another platform