How do I fix missing strict transport security on Shopify?

Shopify's infrastructure automatically enforces HTTPS and sends the HSTS header for all stores on *.myshopify.com and custom domains connected through Shopify. In your Shopify Admin go to Online Store → Domains. Ensure your custom domain is connected and the SSL certificate status shows 'Connected' (green padlock icon). Once the domain is connected and SSL is active, Shopify will serve the HSTS header automatically — no code change is needed. If you use a custom reverse proxy or a third-party CDN (e.g., Cloudflare) in front of Shopify, configure HSTS in that layer instead (see Cloudflare steps below). Verify by opening DevTools → Network → reload your homepage → click the document request → check Response Headers for 'strict-transport-security'.

How to fix missing strict transport security on Shopify

Add an HTTP Strict-Transport-Security (HSTS) response header with at least `max-age=31536000; includeSubDomains` to every HTTPS response your store sends.

Steps for Shopify

Shopify's infrastructure automatically enforces HTTPS and sends the HSTS header for all stores on *.myshopify.com and custom domains connected through Shopify.
In your Shopify Admin go to Online Store → Domains. Ensure your custom domain is connected and the SSL certificate status shows 'Connected' (green padlock icon).
Once the domain is connected and SSL is active, Shopify will serve the HSTS header automatically — no code change is needed.
If you use a custom reverse proxy or a third-party CDN (e.g., Cloudflare) in front of Shopify, configure HSTS in that layer instead (see Cloudflare steps below).
Verify by opening DevTools → Network → reload your homepage → click the document request → check Response Headers for 'strict-transport-security'.

Official Shopify documentation ↗

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is missing strict transport security?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers to say: "Always use HTTPS when talking to this site — never plain HTTP." Once a browser sees this header, it will automatically upgrade any future HTTP requests to HTTPS for the duration you specify (the `max-age`, measured in seconds). Without it, a visitor who types your domain or follows an old HTTP link could briefly connect over an unencrypted connection before being redirected, which is a window an attacker can exploit.

Without HSTS, your store is vulnerable to SSL-stripping attacks, where an attacker on the same network (e.g., a coffee shop Wi-Fi) intercepts the first unencrypted HTTP request before your redirect kicks in, silently reading or tampering with the connection. This can expose customer login credentials, payment data, and session cookies — creating serious legal risk under GDPR, CCPA, and PCI-DSS. Google also uses HTTPS as a ranking signal; a missing HSTS header signals an incomplete security posture that can reduce trust scores. Perhaps most directly, browsers increasingly warn users about mixed or insecure connections, and a visible browser security warning will kill conversions instantly.

See the complete Missing strict transport security guide for every platform and the full background.

Not sure if your Shopify store has this?

Run a free SEOLZ audit — we’ll find missing strict transport security and every other issue across your whole site.

Scan my site free

How to fix missing strict transport security on Shopify

Steps for Shopify

What is missing strict transport security?

Not sure if your Shopify store has this?

Fix missing strict transport security on another platform