—

Why it Matters

Even if a site supports HTTPS, some users may still try HTTP first. Without extra protection, attackers can downgrade or intercept that first request, forcing the connection to stay unencrypted.

HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain, even if the user types http://. It enforces secure connections and protects customers from SSL stripping attacks. A correct HSTS configuration makes HTTPS the only option.

Verification Steps

# Check response headers
curl -I https://yourstore.com | grep -i strict-transport-security

# Expected:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Remediation / Fix Guidance

1. Enable HSTS in your web server configuration:

   # Nginx
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

   # Apache
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

2. Test thoroughly before adding preload, because it tells browsers to enforce HTTPS at all times.
3. Submit your domain to the HSTS preload list once stable: https://hstspreload.org.
4. Clear old caches/CDN rules that might strip headers.

Examples

# No HSTS header present
$ curl -I https://mystore.com
HTTP/2 200 OK
# Headers: (no Strict-Transport-Security)

# HSTS header with strong policy
$ curl -I https://mystore.com
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

References

• OWASP Top 10 — A02: Cryptographic Failures
• OWASP — HSTS Cheat Sheet