How do I fix hsts max age too short on Webflow?

Webflow hosted sites enforce HTTPS but do not expose a UI control for custom HTTP security headers on standard hosting plans. For Webflow Enterprise: contact your Webflow account manager to request custom header configuration including Strict-Transport-Security: max-age=31536000; includeSubDomains. For sites published to a custom host (e.g. self-hosted export or via Cloudflare): in Cloudflare go to your domain → Rules → Transform Rules → Response Header Modification. Add a 'Set' rule for header name 'Strict-Transport-Security' with value 'max-age=31536000; includeSubDomains'. Alternatively, in Cloudflare's SSL/TLS → Edge Certificates section, enable HTTP Strict Transport Security (HSTS) and set Max Age to 12 months (31536000). Verify at securityheaders.com.

How to fix hsts max age too short on Webflow

Increase your HSTS max-age to at least 31536000 (one year) so browsers enforce HTTPS-only connections for a meaningful period.

Steps for Webflow

Webflow hosted sites enforce HTTPS but do not expose a UI control for custom HTTP security headers on standard hosting plans.
For Webflow Enterprise: contact your Webflow account manager to request custom header configuration including Strict-Transport-Security: max-age=31536000; includeSubDomains.
For sites published to a custom host (e.g. self-hosted export or via Cloudflare): in Cloudflare go to your domain → Rules → Transform Rules → Response Header Modification. Add a 'Set' rule for header name 'Strict-Transport-Security' with value 'max-age=31536000; includeSubDomains'.
Alternatively, in Cloudflare's SSL/TLS → Edge Certificates section, enable HTTP Strict Transport Security (HSTS) and set Max Age to 12 months (31536000).
Verify at securityheaders.com.

Official Webflow documentation ↗

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts max age too short?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

See the complete Hsts max age too short guide for every platform and the full background.

Not sure if your Webflow store has this?

Run a free SEOLZ audit — we’ll find hsts max age too short and every other issue across your whole site.

Scan my site free

How to fix hsts max age too short on Webflow

Steps for Webflow

What is hsts max age too short?

Not sure if your Webflow store has this?

Fix hsts max age too short on another platform