HSTS (HTTP Strict Transport Security) Not Enabled

Only 17.5% of the top 1 million HTTPS websites have HSTS enabled, dropping to just 7% across the entire web (HTTP Archive, 2024). Without HSTS, attackers on the same network can perform SSL stripping — intercepting the initial HTTP request and serving malicious content before your redirect to HTTPS kicks in. This is especially dangerous for users on public Wi-Fi, where these attacks are trivial to execute.

Start here

Before You Fix It: What This Check Means

HSTS tells browsers to enforce HTTPS for future requests so downgrade attacks become much harder. In plain terms, this tells you whether visitors are protected by the security setup you intend to run in production. Scavo evaluates `Strict-Transport-Security` on HTTPS pages only.

Why this matters in practice: weak settings here can increase breach risk and incident blast radius before teams notice.

How to use this result: treat this as directional evidence, not final truth. A crawl snapshot cannot prove every route, subdomain, or transient edge rule is consistently configured. First, confirm the issue in live output: inspect live response headers and certificate state on the exact production host Then ship one controlled change: Ensure HTTPS is universal before enforcing strong HSTS. Finally, re-scan the same URL to confirm the result improves.

Background sources

TL;DR: Your site lacks an HSTS header, allowing attackers to intercept users' first connection before the HTTPS redirect happens.

Only 17.5% of the top 1 million HTTPS websites have HSTS enabled, dropping to just 7% across the entire web (HTTP Archive, 2024). Without HSTS, attackers on the same network can perform SSL stripping — intercepting the initial HTTP request and serving malicious content before your redirect to HTTPS kicks in. This is especially dangerous for users on public Wi-Fi, where these attacks are trivial to execute.

What Scavo checks (plain English)

Scavo evaluates Strict-Transport-Security on HTTPS pages only.

How Scavo scores this check

Result behavior:

  • Info: scanned URL is HTTP (HSTS not applicable until HTTPS is in place)
  • Warning: HSTS header missing
  • Warning: HSTS present but malformed/no valid max-age
  • Warning: max-age present but too short (< 15768000, six months)
  • Pass: valid HSTS with max-age >= 15768000

Scavo also records whether includeSubDomains and preload are present.

In your scan report, this appears under What failed / What needs attention / What is working for hsts, followed by Recommended next steps and Technical evidence (for developers) when needed.

  • Scan key: hsts
  • Category: SECURITY

Why fixing this matters

Without HSTS, users can still start sessions over HTTP in some scenarios and be exposed to downgrade risks before redirect logic fully protects them.

A properly tuned HSTS policy strengthens HTTPS-only behavior at the browser layer and reduces reliance on perfect redirect handling for every request path.

Common reasons this check flags

  • HTTPS enabled, but HSTS header never added.
  • Conservative/legacy short max-age values remain in production.
  • Header syntax errors from proxy/CDN config drift.
  • Teams avoid includeSubDomains due unknown subdomain readiness.

If you are not technical

  1. Confirm all public subdomains are HTTPS-ready before broad HSTS expansion.
  2. Ask for staged rollout plan (short max-age -> longer max-age -> optional preload).
  3. Require rollback considerations for edge cases.
  4. Re-scan and verify max-age and directives are stable.

Technical handoff message

Copy and share this with your developer.

Scavo flagged HSTS (hsts). Please configure a valid Strict-Transport-Security header with an appropriate max-age (>= 15768000), and review includeSubDomains/preload readiness before enabling globally.

If you are technical

  1. Ensure HTTPS is universal before enforcing strong HSTS.
  2. Set max-age to at least six months (often one year).
  3. Add includeSubDomains only when all subdomains are HTTPS-safe.
  4. Consider preload only after meeting preload-list requirements.
  5. Keep HSTS config centralized at edge/origin to avoid drift.

How to verify

  • curl -I https://your-domain and inspect Strict-Transport-Security.
  • Confirm max-age parses correctly and meets policy target.
  • Validate subdomain HTTPS readiness before broad directives.
  • Re-run Scavo and confirm warning/fail clears.

What this scan cannot confirm

  • It does not verify HSTS preload-list submission state.
  • It does not test every subdomain automatically.
  • It does not replace certificate lifecycle monitoring.

Owner checklist

  • [ ] Assign owner for transport security headers.
  • [ ] Document staged HSTS rollout and recovery plan.
  • [ ] Audit subdomain HTTPS readiness before includeSubDomains/preload.
  • [ ] Revalidate after CDN/proxy configuration changes.

FAQ

Is HSTS needed if we already redirect HTTP to HTTPS?

Yes. Redirects help, but HSTS adds browser-side protection against downgrade attempts.

What max-age should we use?

This check treats six months as minimum healthy baseline; many teams use one year.

Should we enable preload immediately?

Only after confirming preload criteria and full subdomain readiness.

Can HSTS break anything?

It can if legacy/non-HTTPS subdomains still exist. Audit first.

Sources

Need an HSTS rollout checklist that is safe for multi-subdomain environments? Send support your domain/subdomain inventory.

Related Guides

More checks in this area

Security cookie_security_flags

Unsafe Cookie Flags — Session Cookies Too Easy to Steal or Replay

Learn how Scavo checks live Set-Cookie headers for Secure, HttpOnly, SameSite, and prefix-rule mistakes so session and auth cookies are not left too loose.

Open guide
Security security_headers

Weak Security Headers — Missing or Misconfigured Browser Protections

Learn how Scavo checks critical browser security headers, including weak or invalid values, so your live responses are not giving a false sense of protection.

Open guide
Security content_security_policy

Content Security Policy (CSP) Missing or Too Permissive

XSS accounts for approximately 20% of reported web vulnerabilities across all industries (OWASP, 2024). A strong CSP is your primary defence — yet only 21.9% of sites have adopted CSP (HTTP Archive, 2025), and 91% of those still include unsafe-inline, making the policy ineffective. Without CSP, a single compromised third-party script or input field can steal user data, inject malware, or deface your site.

Open guide

Raccoon Cookie Checkpoint

Can we use optional cookies?

Essentials always stay on. Optional cookies help with preferences, analytics, and smarter prompts.

Current setting: Decision needed