Strict Transport Security Not Enforced

What Is HSTS?

HSTS (HTTP Strict Transport Security) is a browser-enforced policy that ensures a website is only accessed using HTTPS—even if a user types or clicks on an HTTP link.

It protects against man-in-the-middle (MITM) attacks like SSL stripping.

What Does the Warning Mean?

If a site doesn’t properly implement HSTS, tools like SSL Labs or browser developer tools may show the warning:
“Strict-Transport-Security not enforced”

• The site might allow insecure HTTP connections
• The required Strict-Transport-Security header is missing
• The max-age setting is too low to be effective

How to Fix It

Add the Strict-Transport-Security header to all HTTPS responses.

Example Header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Header Breakdown:

• max-age=31536000: Enforce HTTPS for 1 year (in seconds)
• includeSubDomains: Apply to all subdomains
• preload: Eligible for browser HSTS preload lists

Where to Set It

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Cloudflare:

• Navigate to SSL/TLS > Edge Certificates
• Enable HTTP Strict Transport Security (HSTS) and configure the options

Important Notes

• Only enable HSTS once your HTTPS setup is fully stable
• If you use preload, your domain will be included in browser preload lists and cannot be removed easily

Summary

Risk	“Strict-Transport-Security not enforced” indicates your site may allow insecure HTTP access
Fix	Add the HSTS header to all HTTPS responses with long max-age and includeSubDomains
Tools	Use securityheaders.com or SSL Labs to verify