How do I fix missing strict transport security on Wix?

Wix manages server infrastructure centrally — you cannot modify HTTP response headers directly via the Wix dashboard. Wix automatically serves all sites over HTTPS and applies HSTS headers on its infrastructure. Ensure your custom domain is connected with SSL: Wix Dashboard → Settings → Domains → confirm the padlock/SSL status is active. If the header is still reported missing after confirming SSL is active, contact Wix Support — this is an infrastructure-level control outside owner access. If you are proxying Wix through Cloudflare, you can layer HSTS on top: Cloudflare Dashboard → SSL/TLS → Edge Certificates → HSTS section → Enable.

How to fix missing strict transport security on Wix

Add an HTTP Strict-Transport-Security (HSTS) response header with at least `max-age=31536000; includeSubDomains` to every HTTPS response your store sends.

Steps for Wix

Wix manages server infrastructure centrally — you cannot modify HTTP response headers directly via the Wix dashboard.
Wix automatically serves all sites over HTTPS and applies HSTS headers on its infrastructure. Ensure your custom domain is connected with SSL: Wix Dashboard → Settings → Domains → confirm the padlock/SSL status is active.
If the header is still reported missing after confirming SSL is active, contact Wix Support — this is an infrastructure-level control outside owner access.
If you are proxying Wix through Cloudflare, you can layer HSTS on top: Cloudflare Dashboard → SSL/TLS → Edge Certificates → HSTS section → Enable.

Official Wix documentation ↗

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is missing strict transport security?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers to say: "Always use HTTPS when talking to this site — never plain HTTP." Once a browser sees this header, it will automatically upgrade any future HTTP requests to HTTPS for the duration you specify (the `max-age`, measured in seconds). Without it, a visitor who types your domain or follows an old HTTP link could briefly connect over an unencrypted connection before being redirected, which is a window an attacker can exploit.

Without HSTS, your store is vulnerable to SSL-stripping attacks, where an attacker on the same network (e.g., a coffee shop Wi-Fi) intercepts the first unencrypted HTTP request before your redirect kicks in, silently reading or tampering with the connection. This can expose customer login credentials, payment data, and session cookies — creating serious legal risk under GDPR, CCPA, and PCI-DSS. Google also uses HTTPS as a ranking signal; a missing HSTS header signals an incomplete security posture that can reduce trust scores. Perhaps most directly, browsers increasingly warn users about mixed or insecure connections, and a visible browser security warning will kill conversions instantly.

See the complete Missing strict transport security guide for every platform and the full background.

Not sure if your Wix store has this?

Run a free SEOLZ audit — we’ll find missing strict transport security and every other issue across your whole site.

Scan my site free

How to fix missing strict transport security on Wix

Steps for Wix

What is missing strict transport security?

Not sure if your Wix store has this?

Fix missing strict transport security on another platform