HSTS Header
The Strict-Transport-Security header tells browsers to always use HTTPS - even on the very first visit.
medium severityWhat is this?
HSTS (HTTP Strict Transport Security) is a response header that tells browsers: "always use HTTPS for this domain - never HTTP, even if someone types http://."
Strict-Transport-Security: max-age=31536000; includeSubDomains
Once a browser receives this header, it'll enforce HTTPS for your domain for max-age seconds (31536000 = 1 year), even if the user or a link tries to use HTTP.
Why it matters
Even with HTTPS and a redirect, there's a window of vulnerability on the very first visit to your site:
- User types
yourdomain.com - Browser connects over HTTP first
- Your server redirects to HTTPS
- Browser follows redirect
Step 2-3 happens over plain HTTP. On public WiFi, an attacker (man-in-the-middle) can intercept that initial HTTP request, modify it, and keep the user on HTTP the whole time. This is called an SSL stripping attack. HSTS eliminates step 2 entirely - the browser goes straight to HTTPS.
How to fix it
Add this header to all HTTPS responses:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Providers & tools
| Platform | How to add HSTS |
|---|---|
| Cloudflare | SSL/TLS → Edge Certificates → HTTP Strict Transport Security → Enable |
| Vercel | vercel.json headers config:{
"headers": [{
"source": "/(.*)",
"headers": [{"key": "Strict-Transport-Security",
"value": "max-age=31536000; includeSubDomains"}]
}]
} |
| Nginx | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
| Express | Use the helmet package: app.use(helmet()) - includes HSTS by default |
| FastAPI | from starlette.middleware.httpsredirect import HTTPSRedirectMiddleware |
Check if your domain has this issue