How to fix hsts max age too short on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. Log in to the Admin panel → Stores → Configuration → General → Web → Base URLs (Secure). Confirm 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' are both set to Yes.
2. To set the HSTS header, edit your web-server configuration directly (Adobe Commerce is self-hosted or on Adobe Commerce Cloud).
3. For Apache: Open <VirtualHost *:443> in your site config (e.g. /etc/apache2/sites-available/magento.conf) and add inside it: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" — then run: sudo systemctl reload apache2
4. For Nginx: In your server { listen 443 ssl; } block in /etc/nginx/sites-available/magento.conf add: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; — then run: sudo systemctl reload nginx
5. On Adobe Commerce Cloud (Fastly CDN): In Admin → Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration, use the Custom VCL or Response Headers section to add the HSTS header, or configure it in the Fastly dashboard under Headers.
6. Verify with DevTools or securityheaders.com.

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts max age too short?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

See the complete Hsts max age too short guide for every platform and the full background.