Security fix guide
Missing HSTS Header
HTTP Strict-Transport-Security is not set. Users can be downgraded to insecure HTTP connections via man-in-the-middle attacks.
Issue ID: SEC-HSTS-001
Severity: high
Impact: Med
Effort: S
Use this article when
- You need deeper remediation guidance than the issue card can show.
- You want CMS-specific steps before handing the fix to a developer.
- You want a repeatable re-check path after shipping the change.
What this issue is
HTTP Strict-Transport-Security is not set. Users can be downgraded to insecure HTTP connections via man-in-the-middle attacks.
Why it matters
HTTP Strict-Transport-Security is not set. Users can be downgraded to insecure HTTP connections via man-in-the-middle attacks. This affects browser trust signals and whether visitors feel safe submitting contact details.
How we detect it
- FreeSiteAudit flags this issue when the rule for SEC-HSTS-001 fails and the page evidence points to Http headers.
- You can usually confirm this by checking the page source or the relevant page settings inside your CMS.
Evidence examples
Check the affected page source, rendered output, or relevant CMS setting to confirm the missing or incorrect element.
How to fix it
- 1Add Strict-Transport-Security header to server responses
- 2Recommended value: max-age=31536000; includeSubDomains
- 3Start with a shorter max-age (e.g., 300) and increase after confirming HTTPS works correctly
- 4Consider adding the preload directive and submitting to the HSTS preload list
How to re-check it
- Check response headers for Strict-Transport-Security with curl -I or browser DevTools
Related tools
This issue is best verified with the full FreeSiteAudit crawl rather than a single-point mini tool.