How do I fix hsts max age too short on PrestaShop?

In the PrestaShop Admin, go to Shop Parameters → General and ensure 'Enable SSL' and 'Enable SSL on all pages' are both ON. PrestaShop does not natively set HSTS headers; add them at the web-server level. Apache: In your block or .htaccess: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Nginx: In your server {} block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Reload the web server and verify at securityheaders.com.

How to fix hsts max age too short on PrestaShop

Increase your HSTS max-age to at least 31536000 (one year) so browsers enforce HTTPS-only connections for a meaningful period.

Steps for PrestaShop

In the PrestaShop Admin, go to Shop Parameters → General and ensure 'Enable SSL' and 'Enable SSL on all pages' are both ON.
PrestaShop does not natively set HSTS headers; add them at the web-server level.
Apache: In your <VirtualHost *:443> block or .htaccess: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Nginx: In your server {} block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Reload the web server and verify at securityheaders.com.

Official PrestaShop documentation ↗

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts max age too short?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

See the complete Hsts max age too short guide for every platform and the full background.

Not sure if your PrestaShop store has this?

Run a free SEOLZ audit — we’ll find hsts max age too short and every other issue across your whole site.

Scan my site free

How to fix hsts max age too short on PrestaShop

Steps for PrestaShop

What is hsts max age too short?

Not sure if your PrestaShop store has this?

Fix hsts max age too short on another platform