How to fix hsts max age too short on Shopify

Steps for Shopify

1. Shopify automatically sets HSTS on all storefronts (myshopify.com and custom domains) with a compliant max-age — you cannot and do not need to set this header manually in the Shopify admin.
2. If you are using a custom domain, go to Admin → Settings → Domains and confirm your domain shows a green padlock / 'SSL Active' status. Shopify manages the header at the CDN layer.
3. If a third-party proxy (e.g. Cloudflare) sits in front of your Shopify store and is overriding headers, configure HSTS there instead (see the CDN/proxy provider's dashboard under Security or SSL/TLS settings and set max-age to 31536000).
4. Verify the live header value at securityheaders.com by entering your storefront URL.

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts max age too short?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

See the complete Hsts max age too short guide for every platform and the full background.