How to fix missing strict transport security on WooCommerce

Steps for WooCommerce

1. WooCommerce runs on WordPress, so HSTS must be set at the server or hosting level — WordPress/PHP itself does not control response headers by default.
2. Apache: Open your site's .htaccess file (in the public_html/wp root). Inside the `<IfModule mod_headers.c>` block (or add one), insert: `Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`. Save and reload Apache.
3. Nginx: Edit your server block config (e.g., /etc/nginx/sites-available/yoursite.conf). Inside the `server { ... }` block for port 443, add: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`. Run `nginx -t` then reload Nginx.
4. cPanel hosting: Use the 'Headers' module under Apache Configuration, or install the free 'Headers & Options' section in your cPanel's .htaccess editor.
5. Plugin alternative: Install the free 'HTTP Headers' plugin by WebFactory (WordPress.org). Go to WP Admin → HTTP Headers → Security → toggle on Strict-Transport-Security → set max-age to 31536000, check includeSubDomains → Save.
6. Verify in browser DevTools → Network → document response headers.

Strict-Transport-Security: max-age=31536000; includeSubDomains

What is missing strict transport security?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers to say: "Always use HTTPS when talking to this site — never plain HTTP." Once a browser sees this header, it will automatically upgrade any future HTTP requests to HTTPS for the duration you specify (the `max-age`, measured in seconds). Without it, a visitor who types your domain or follows an old HTTP link could briefly connect over an unencrypted connection before being redirected, which is a window an attacker can exploit.

Without HSTS, your store is vulnerable to SSL-stripping attacks, where an attacker on the same network (e.g., a coffee shop Wi-Fi) intercepts the first unencrypted HTTP request before your redirect kicks in, silently reading or tampering with the connection. This can expose customer login credentials, payment data, and session cookies — creating serious legal risk under GDPR, CCPA, and PCI-DSS. Google also uses HTTPS as a ranking signal; a missing HSTS header signals an incomplete security posture that can reduce trust scores. Perhaps most directly, browsers increasingly warn users about mixed or insecure connections, and a visible browser security warning will kill conversions instantly.

See the complete Missing strict transport security guide for every platform and the full background.