Strict-Transport-Security header missing or invalid


The Strict-Transport-Security header was found to be missing or invalid. The Strict-Transport-Security header allows web site operators to force communications to occur over a TLS connection. By enabling this header, websites can protect their users from various forms of network eavesdropping or interception attacks. While most browsers prevent mixed-content (loading resources from HTTP when navigating from an HTTPS site), this header also ensures that all resource requests are only ever initiated over a secure transport.


Only three directives are applicable for the Strict-Transport-Security header.

  1. max-age: This required directive specifies how long (in seconds) after receiving the response it should communicate only over a secure transport.
  2. includeSubDomains: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host’s domain.
  3. preload: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser’s preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser’s HSTS preload list. See for more information.

Note that invalid directives, or the Strict-Transport-Security header appearing more than once (if the values are different) is considered invalid.

Prior to adding to this security configuration to your website, it is recommended you review the Deployment Recommendations.


ID Aggregated CWE Type Risk
16.7 true 16 Passive Low