SEOLZ

Missing strict transport security

Quick win

Add an HTTP Strict-Transport-Security (HSTS) response header with at least `max-age=31536000; includeSubDomains` to every HTTPS response your store sends.

What it is

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers to say: "Always use HTTPS when talking to this site — never plain HTTP." Once a browser sees this header, it will automatically upgrade any future HTTP requests to HTTPS for the duration you specify (the `max-age`, measured in seconds). Without it, a visitor who types your domain or follows an old HTTP link could briefly connect over an unencrypted connection before being redirected, which is a window an attacker can exploit.

Why it matters

Without HSTS, your store is vulnerable to SSL-stripping attacks, where an attacker on the same network (e.g., a coffee shop Wi-Fi) intercepts the first unencrypted HTTP request before your redirect kicks in, silently reading or tampering with the connection. This can expose customer login credentials, payment data, and session cookies — creating serious legal risk under GDPR, CCPA, and PCI-DSS. Google also uses HTTPS as a ranking signal; a missing HSTS header signals an incomplete security posture that can reduce trust scores. Perhaps most directly, browsers increasingly warn users about mixed or insecure connections, and a visible browser security warning will kill conversions instantly.

How to fix it

  1. Confirm your store is fully served over HTTPS with a valid, trusted TLS certificate before enabling HSTS — adding HSTS to an HTTP or broken-HTTPS site will lock visitors out.
  2. Decide on your HSTS policy: start with a short max-age (e.g., 300 seconds) in staging to verify nothing breaks, then increase to 31536000 (one year) for production.
  3. Add the response header `Strict-Transport-Security: max-age=31536000; includeSubDomains` to every HTTPS response. Only add the `preload` directive after you have confirmed the full policy works and you intend to submit to the HSTS preload list.
  4. Ensure your server or CDN does NOT send the HSTS header on plain HTTP responses — it must only be sent over HTTPS per the spec.
  5. Verify the header is present by loading your storefront in a browser, opening DevTools → Network tab → click the main document request → inspect Response Headers for `strict-transport-security`.
  6. Optionally submit your domain to the HSTS preload list (hstspreload.org) once you are confident — this bakes HTTPS enforcement directly into Chrome, Firefox, Safari, and Edge, eliminating the first-visit window entirely.
Strict-Transport-Security: max-age=31536000; includeSubDomains

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing strict transport security on Shopify
  1. Shopify's infrastructure automatically enforces HTTPS and sends the HSTS header for all stores on *.myshopify.com and custom domains connected through Shopify.
  2. In your Shopify Admin go to Online Store → Domains. Ensure your custom domain is connected and the SSL certificate status shows 'Connected' (green padlock icon).
  3. Once the domain is connected and SSL is active, Shopify will serve the HSTS header automatically — no code change is needed.
  4. If you use a custom reverse proxy or a third-party CDN (e.g., Cloudflare) in front of Shopify, configure HSTS in that layer instead (see Cloudflare steps below).
  5. Verify by opening DevTools → Network → reload your homepage → click the document request → check Response Headers for 'strict-transport-security'.
Full Shopify guide →Official Shopify docs ↗
How to fix missing strict transport security on Shopify Plus
  1. Same as Shopify above — HSTS is managed at the infrastructure level.
  2. For Plus stores using Shopify's custom checkout domain or headless storefronts behind a custom CDN/proxy, configure the HSTS header in your CDN or load balancer (e.g., Cloudflare, Fastly, AWS CloudFront) as a custom response header rule.
  3. In Cloudflare: Security → Settings → enable HSTS, or Rules → Transform Rules → Response Header Modification → add header `Strict-Transport-Security` with value `max-age=31536000; includeSubDomains`.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix missing strict transport security on WooCommerce
  1. WooCommerce runs on WordPress, so HSTS must be set at the server or hosting level — WordPress/PHP itself does not control response headers by default.
  2. Apache: Open your site's .htaccess file (in the public_html/wp root). Inside the `<IfModule mod_headers.c>` block (or add one), insert: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`. Save and reload Apache.
  3. Nginx: Edit your server block config (e.g., /etc/nginx/sites-available/yoursite.conf). Inside the `server { ... }` block for port 443, add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`. Run `nginx -t` then reload Nginx.
  4. cPanel hosting: Use the 'Headers' module under Apache Configuration, or install the free 'Headers & Options' section in your cPanel's .htaccess editor.
  5. Plugin alternative: Install the free 'HTTP Headers' plugin by WebFactory (WordPress.org). Go to WP Admin → HTTP Headers → Security → toggle on Strict-Transport-Security → set max-age to 31536000, check includeSubDomains → Save.
  6. Verify in browser DevTools → Network → document response headers.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix missing strict transport security on BigCommerce
  1. BigCommerce manages the underlying infrastructure and automatically sends HSTS headers for storefronts on *.bigcommerce.com and SSL-enabled custom domains.
  2. In your BigCommerce Admin go to Store Setup → Store Profile and ensure your custom domain has an active SSL certificate (BigCommerce provisions this automatically via Let's Encrypt).
  3. If you are using a custom CDN or reverse proxy (e.g., Cloudflare) in front of BigCommerce, configure HSTS as a custom response header in your CDN dashboard.
  4. For Cloudflare: SSL/TLS → Edge Certificates → Enable HSTS → set Max-Age to 12 months, enable 'Apply HSTS policy to subdomains'.
  5. Verify with DevTools as described above.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix missing strict transport security on Wix
  1. Wix manages server infrastructure centrally — you cannot modify HTTP response headers directly via the Wix dashboard.
  2. Wix automatically serves all sites over HTTPS and applies HSTS headers on its infrastructure. Ensure your custom domain is connected with SSL: Wix Dashboard → Settings → Domains → confirm the padlock/SSL status is active.
  3. If the header is still reported missing after confirming SSL is active, contact Wix Support — this is an infrastructure-level control outside owner access.
  4. If you are proxying Wix through Cloudflare, you can layer HSTS on top: Cloudflare Dashboard → SSL/TLS → Edge Certificates → HSTS section → Enable.
Full Wix guide →Official Wix docs ↗
How to fix missing strict transport security on Squarespace
  1. Squarespace handles all SSL and security headers at the infrastructure level; individual header values are not configurable via the Squarespace dashboard.
  2. Confirm your domain has SSL enabled: Squarespace Admin → Settings → Domains → your domain should show a green lock / 'SSL Active'.
  3. Squarespace enables HSTS for all sites on its platform. If a scanner flags the header as missing on your Squarespace site, it may be scanning an HTTP URL before the redirect — test the HTTPS version directly.
  4. If you proxy Squarespace through Cloudflare, add HSTS in Cloudflare: SSL/TLS → Edge Certificates → HSTS → Enable, Max-Age 1 year, Include Subdomains.
Full Squarespace guide →Official Squarespace docs ↗
How to fix missing strict transport security on Webflow
  1. Webflow automatically provisions SSL certificates and sends HSTS headers for all sites hosted on Webflow's infrastructure (*.webflow.io and custom domains).
  2. In your Webflow Dashboard → go to your Project Settings → Publishing → Custom Domain → ensure the domain shows 'SSL Active'.
  3. Webflow sends HSTS by default once SSL is active — no code change is needed in the Webflow Designer or CMS.
  4. If you are using a custom reverse proxy or Cloudflare in front of Webflow, configure HSTS there: Cloudflare → SSL/TLS → Edge Certificates → HSTS section → Enable, set max-age to 31536000, enable includeSubDomains.
  5. Verify in DevTools → Network → document response headers for `strict-transport-security`.
Full Webflow guide →Official Webflow docs ↗
How to fix missing strict transport security on Adobe Commerce (Magento)
  1. Open your Nginx or Apache virtual host config for the store.
  2. Nginx: In the SSL server block add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` — then run `nginx -t && systemctl reload nginx`.
  3. Apache: In the VirtualHost block for port 443 add: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` — then run `apachectl configtest && systemctl reload apache2`.
  4. If you use a CDN (Fastly, Cloudflare, Varnish), configure the header there so it is sent on every edge response.
  5. Adobe Commerce Cloud (cloud.magento.com): Update your `.magento.app.yaml` or configure Fastly via the Magento Admin → Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration → Custom VCL snippets to inject the header.
  6. Flush the Magento full-page cache after any config change: Admin → System → Cache Management → Flush Cache Storage.
  7. Verify with DevTools or `curl -I https://yourstore.com` and look for the `strict-transport-security` header.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix missing strict transport security on Magento Open Source
  1. Follow the same Apache/Nginx server-config steps as Adobe Commerce above — they share the same codebase and hosting model.
  2. Add `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` (Nginx) or the equivalent Apache `Header always set` directive in your SSL VirtualHost.
  3. Alternatively, use a PHP-based approach in Magento's index.php or a custom plugin that calls `header()` before output — but the server-config approach is preferred for performance and reliability.
  4. Flush Magento caches after any change.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix missing strict transport security on PrestaShop
  1. PrestaShop runs on Apache or Nginx — add the HSTS header at the server config level.
  2. Apache: Edit .htaccess in the PrestaShop root or your VirtualHost config. Add inside `<IfModule mod_headers.c>`: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`.
  3. Nginx: In the SSL server block add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
  4. Reload the web server and verify with DevTools or curl.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix missing strict transport security on OpenCart
  1. OpenCart runs on Apache/Nginx — add HSTS at the web server config or .htaccess level.
  2. Apache: In your .htaccess or VirtualHost (SSL section) add: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`.
  3. Nginx: In your SSL server block add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
  4. Reload the web server. Verify with browser DevTools.
Full OpenCart guide →Official OpenCart docs ↗
How to fix missing strict transport security on WordPress.org
  1. WordPress.org (self-hosted) — set HSTS at the server or plugin level, not in WordPress PHP.
  2. Recommended plugin: Install 'HTTP Headers' by WebFactory from the WordPress plugin directory. Admin → HTTP Headers → Security Headers → Strict-Transport-Security → Enable → set max-age=31536000, check includeSubDomains → Save.
  3. Server-level (Apache): Add `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` inside a `<IfModule mod_headers.c>` block in .htaccess.
  4. Server-level (Nginx): Add `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in the SSL server block.
  5. Verify in DevTools → Network → document response headers.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix missing strict transport security on WooCommerce
  1. WooCommerce is a WordPress plugin — follow the WordPress.org steps above exactly. HSTS is controlled at the server/hosting layer, not within WooCommerce settings.
  2. If on managed WordPress hosting (WP Engine, Kinsta, SiteGround, etc.), check the hosting dashboard for a 'Security' or 'Headers' panel, or contact support — many managed hosts apply HSTS automatically.
  3. Plugin option: Use the 'HTTP Headers' plugin as described in the WordPress.org steps above.
Full WooCommerce guide →Official WooCommerce docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find missing strict transport security — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing strict transport security?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers to say: "Always use HTTPS when talking to this site — never plain HTTP." Once a browser sees this header, it will automatically upgrade any future HTTP requests to HTTPS for the duration you specify (the `max-age`, measured in seconds). Without it, a visitor who types your domain or follows an old HTTP link could briefly connect over an unencrypted connection before being redirected, which is a window an attacker can exploit.

Why does missing strict transport security matter?

Without HSTS, your store is vulnerable to SSL-stripping attacks, where an attacker on the same network (e.g., a coffee shop Wi-Fi) intercepts the first unencrypted HTTP request before your redirect kicks in, silently reading or tampering with the connection. This can expose customer login credentials, payment data, and session cookies — creating serious legal risk under GDPR, CCPA, and PCI-DSS. Google also uses HTTPS as a ranking signal; a missing HSTS header signals an incomplete security posture that can reduce trust scores. Perhaps most directly, browsers increasingly warn users about mixed or insecure connections, and a visible browser security warning will kill conversions instantly.

How do I fix missing strict transport security?

Add an HTTP Strict-Transport-Security (HSTS) response header with at least `max-age=31536000; includeSubDomains` to every HTTPS response your store sends.

Authoritative references

Related Security (OWASP) issues