Strict-Transport-Security Header is Missing

Impact: Low


The absence of the HTTP Strict-Transport-Security (HSTS) response header leaves a website vulnerable to protocol downgrade attacks and session hijacking. Without this header, attackers can potentially intercept and manipulate unencrypted HTTP traffic, compromising the confidentiality and integrity of sensitive data exchanged between the client and server.


To enhance security, configure your server to send the Strict-Transport-Security header for all pages with a suitable max-age directive, instructing browsers to enforce HTTPS connections. Additionally, consider including the includeSubDomains directive to extend HSTS protection to all subdomains of your site.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue