Fix

Missing HSTS

Add Strict-Transport-Security so browsers always use HTTPS for your domain.

InfoCategory: security

Related checks

What this means

Without HSTS, users can be tricked into using HTTP on first contact (downgrade/SSL-stripping scenarios). HSTS instructs browsers to use HTTPS for a period of time.

Fix steps

Confirm your site works fully on HTTPS (including all subdomains you plan to include).
Set HSTS at your CDN/edge or reverse proxy (preferred) so it’s consistent across routes.
Start with a conservative max-age, validate behavior, then increase to 6–12 months.
Only add includeSubDomains if every subdomain is HTTPS-ready.
Only add preload if you’re ready to commit long-term and meet preload requirements.

Common starting header

Strict-Transport-Security: max-age=15552000; includeSubDomains

Verify

Re-run Headers Check and confirm Strict-Transport-Security shows as present and expected.

Recommended tools

These are optional helpers. We’ll later route these through our outbound wrapper and affiliate layer.

Cloudflare (edge/security) ↗Let’s Encrypt (free certs) ↗

Next fixes

Fix: Missing CSP Fix: HTTP → HTTPS Redirect