How to fix missing strict transport security on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. Open your Nginx or Apache virtual host config for the store.
2. Nginx: In the SSL server block add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` — then run `nginx -t && systemctl reload nginx`.
3. Apache: In the VirtualHost block for port 443 add: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"` — then run `apachectl configtest && systemctl reload apache2`.
4. If you use a CDN (Fastly, Cloudflare, Varnish), configure the header there so it is sent on every edge response.
5. Adobe Commerce Cloud (cloud.magento.com): Update your `.magento.app.yaml` or configure Fastly via the Magento Admin → Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration → Custom VCL snippets to inject the header.
6. Flush the Magento full-page cache after any config change: Admin → System → Cache Management → Flush Cache Storage.
7. Verify with DevTools or `curl -I https://yourstore.com` and look for the `strict-transport-security` header.

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is missing strict transport security?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers to say: "Always use HTTPS when talking to this site — never plain HTTP." Once a browser sees this header, it will automatically upgrade any future HTTP requests to HTTPS for the duration you specify (the `max-age`, measured in seconds). Without it, a visitor who types your domain or follows an old HTTP link could briefly connect over an unencrypted connection before being redirected, which is a window an attacker can exploit.

Without HSTS, your store is vulnerable to SSL-stripping attacks, where an attacker on the same network (e.g., a coffee shop Wi-Fi) intercepts the first unencrypted HTTP request before your redirect kicks in, silently reading or tampering with the connection. This can expose customer login credentials, payment data, and session cookies — creating serious legal risk under GDPR, CCPA, and PCI-DSS. Google also uses HTTPS as a ranking signal; a missing HSTS header signals an incomplete security posture that can reduce trust scores. Perhaps most directly, browsers increasingly warn users about mixed or insecure connections, and a visible browser security warning will kill conversions instantly.

See the complete Missing strict transport security guide for every platform and the full background.