SEOLZ

Hsts max age too short

Quick win

Increase your HSTS max-age to at least 31536000 (one year) so browsers enforce HTTPS-only connections for a meaningful period.

What it is

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

Why it matters

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

How to fix it

  1. Confirm your site has a valid, trusted TLS/SSL certificate installed and that every page, asset, and redirect already works correctly over HTTPS before changing HSTS — a misconfigured HSTS with a long max-age can lock visitors out if HTTPS breaks.
  2. Locate where your server sends HTTP response headers (web-server config, CDN settings, or your platform's security-header controls — see platform steps below).
  3. Find the existing Strict-Transport-Security header (it may already exist with a short max-age like 300).
  4. Replace or set the header value to: Strict-Transport-Security: max-age=31536000; includeSubDomains (add the optional 'preload' directive only after you have verified everything works and you intend to submit to the HSTS preload list).
  5. Deploy the change and verify using your browser's DevTools (Network tab → select any response → look for Strict-Transport-Security in the response headers) or a tool like securityheaders.com.
  6. Monitor for any mixed-content or HTTP-fallback warnings after deployment; fix any remaining HTTP asset URLs before considering the 'preload' flag.
Strict-Transport-Security: max-age=31536000; includeSubDomains

Fix it on your platform

Pick your platform for the exact steps.

How to fix hsts max age too short on Shopify
  1. Shopify automatically sets HSTS on all storefronts (myshopify.com and custom domains) with a compliant max-age — you cannot and do not need to set this header manually in the Shopify admin.
  2. If you are using a custom domain, go to Admin → Settings → Domains and confirm your domain shows a green padlock / 'SSL Active' status. Shopify manages the header at the CDN layer.
  3. If a third-party proxy (e.g. Cloudflare) sits in front of your Shopify store and is overriding headers, configure HSTS there instead (see the CDN/proxy provider's dashboard under Security or SSL/TLS settings and set max-age to 31536000).
  4. Verify the live header value at securityheaders.com by entering your storefront URL.
Full Shopify guide →Official Shopify docs ↗
How to fix hsts max age too short on WooCommerce
  1. WooCommerce runs on WordPress with your own hosting, so the HSTS header is set at the web-server or plugin level — WordPress/WooCommerce core does not set it by default.
  2. Option A — Plugin (recommended for non-technical owners): Install the free 'Headers Security Advanced & HSTS WP' plugin (or 'HTTP Headers' by DataCove). Go to Plugins → Add New, search for the plugin name, install and activate it. In the plugin settings, set Strict-Transport-Security max-age to 31536000 and enable includeSubDomains.
  3. Option B — Apache (.htaccess): Open your root .htaccess file via Hosting cPanel → File Manager or via FTP. Inside the '<IfModule mod_headers.c>' block (or add one), insert: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  4. Option C — Nginx (nginx.conf or site config): In your server {} block add: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; then reload Nginx: sudo systemctl reload nginx
  5. Verify with DevTools (F12 → Network → any response → Response Headers) or securityheaders.com.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix hsts max age too short on BigCommerce
  1. BigCommerce manages HTTPS and HSTS at the platform/CDN level for storefronts hosted on bigcommerce.com infrastructure — the header is set automatically with a compliant max-age.
  2. If you are running BigCommerce behind a custom CDN or reverse proxy, log in to that CDN dashboard (e.g. Cloudflare: SSL/TLS → Edge Certificates → HTTP Strict Transport Security) and set max-age to 31536000.
  3. For headless BigCommerce storefronts (Next.js, Gatsby, etc.), add the header in your hosting layer: in Next.js use next.config.js headers(); on Vercel/Netlify use their dashboard or config file headers settings.
  4. Verify at securityheaders.com.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix hsts max age too short on Wix
  1. Wix manages HTTPS and HSTS at the infrastructure level — all Wix sites are served with HTTPS enforced by Wix's CDN and you cannot directly edit HTTP response headers from the Wix dashboard.
  2. If your site is behind Cloudflare or another proxy that is stripping or overriding the HSTS header, log in to that proxy and set Strict-Transport-Security: max-age=31536000; includeSubDomains in its security/headers settings.
  3. If the short max-age originates from Wix's own CDN, contact Wix Support and report it as a security concern — Wix periodically updates its default security headers.
  4. Verify the current header value by entering your Wix site URL at securityheaders.com.
Full Wix guide →Official Wix docs ↗
How to fix hsts max age too short on Squarespace
  1. Squarespace sets HTTPS and HSTS automatically for all sites; you cannot edit HTTP response headers directly from the Squarespace admin panel.
  2. If a third-party CDN or proxy is in front of your Squarespace site and is setting its own (shorter) HSTS max-age, configure that CDN to send max-age=31536000; includeSubDomains.
  3. If the issue is with Squarespace's own header, contact Squarespace Support and reference OWASP A02:2021 / HSTS max-age requirement.
  4. Verify the header at securityheaders.com.
Full Squarespace guide →Official Squarespace docs ↗
How to fix hsts max age too short on Webflow
  1. Webflow hosted sites enforce HTTPS but do not expose a UI control for custom HTTP security headers on standard hosting plans.
  2. For Webflow Enterprise: contact your Webflow account manager to request custom header configuration including Strict-Transport-Security: max-age=31536000; includeSubDomains.
  3. For sites published to a custom host (e.g. self-hosted export or via Cloudflare): in Cloudflare go to your domain → Rules → Transform Rules → Response Header Modification. Add a 'Set' rule for header name 'Strict-Transport-Security' with value 'max-age=31536000; includeSubDomains'.
  4. Alternatively, in Cloudflare's SSL/TLS → Edge Certificates section, enable HTTP Strict Transport Security (HSTS) and set Max Age to 12 months (31536000).
  5. Verify at securityheaders.com.
Full Webflow guide →Official Webflow docs ↗
How to fix hsts max age too short on Adobe Commerce (Magento)
  1. Log in to the Admin panel → Stores → Configuration → General → Web → Base URLs (Secure). Confirm 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' are both set to Yes.
  2. To set the HSTS header, edit your web-server configuration directly (Adobe Commerce is self-hosted or on Adobe Commerce Cloud).
  3. For Apache: Open <VirtualHost *:443> in your site config (e.g. /etc/apache2/sites-available/magento.conf) and add inside it: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" — then run: sudo systemctl reload apache2
  4. For Nginx: In your server { listen 443 ssl; } block in /etc/nginx/sites-available/magento.conf add: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; — then run: sudo systemctl reload nginx
  5. On Adobe Commerce Cloud (Fastly CDN): In Admin → Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration, use the Custom VCL or Response Headers section to add the HSTS header, or configure it in the Fastly dashboard under Headers.
  6. Verify with DevTools or securityheaders.com.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix hsts max age too short on Magento Open Source
  1. Same web-server steps as Adobe Commerce above apply — edit your Apache or Nginx virtual-host config to set Header always set / add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  2. If using a CDN such as Cloudflare in front of Magento Open Source, configure the HSTS header in Cloudflare's dashboard: SSL/TLS → Edge Certificates → HTTP Strict Transport Security → Max Age 12 months.
  3. Reload your web server after any config change and verify with securityheaders.com.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix hsts max age too short on WordPress.org
  1. WordPress core does not set HSTS — you must set it at the server or plugin level.
  2. Plugin method: Install 'Headers Security Advanced & HSTS WP' or 'HTTP Headers' from Plugins → Add New. Activate and navigate to the plugin's settings page. Enable Strict-Transport-Security and set max-age to 31536000 with includeSubDomains checked.
  3. Apache method: In your root .htaccess, inside a <IfModule mod_headers.c> block add: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  4. Nginx method: In your server {} block for port 443: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; — reload Nginx after saving.
  5. Verify at securityheaders.com.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix hsts max age too short on PrestaShop
  1. In the PrestaShop Admin, go to Shop Parameters → General and ensure 'Enable SSL' and 'Enable SSL on all pages' are both ON.
  2. PrestaShop does not natively set HSTS headers; add them at the web-server level.
  3. Apache: In your <VirtualHost *:443> block or .htaccess: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  4. Nginx: In your server {} block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  5. Reload the web server and verify at securityheaders.com.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix hsts max age too short on Cloudflare (CDN/proxy used with any platform)
  1. Log in to Cloudflare → select your domain.
  2. Go to SSL/TLS → Edge Certificates.
  3. Scroll to 'HTTP Strict Transport Security (HSTS)' and click 'Enable HSTS'.
  4. In the dialog, set Max Age Header to '12 months (31536000)', toggle 'Include Subdomains' on (if all subdomains use HTTPS), then click Save.
  5. Note: Do NOT enable 'Preload' until you have verified your entire domain and all subdomains are permanently on HTTPS — preload list inclusion is very difficult to reverse.
  6. Verify with securityheaders.com.
Full Cloudflare (CDN/proxy used with any platform) guide →

Does your site have this issue?

Run a free SEOLZ audit to find hsts max age too short — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Hsts max age too short?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

Why does hsts max age too short matter?

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

How do I fix hsts max age too short?

Increase your HSTS max-age to at least 31536000 (one year) so browsers enforce HTTPS-only connections for a meaningful period.

Authoritative references

Related Security (OWASP) issues