Quick Reference
Element Code: SE-002
Issue: HTTP Strict Transport Security header is not set
Impact: Vulnerable to downgrade attacks and SSL stripping
Fix: Add HSTS header to enforce HTTPS connections
Detection: Security scanners, browser DevTools, SSL Labs
What Is This Issue?
HSTS tells browsers to only connect to your site via HTTPS, even if the user types HTTP or clicks an HTTP link. Without it, attackers can potentially intercept the initial HTTP request before it redirects to HTTPS.
Why This Matters
- Man-in-the-Middle Prevention: Blocks SSL stripping attacks
- Forced HTTPS: Browser won't connect via HTTP
- SEO: Part of good security practices that can influence trust
How to Implement
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- max-age: How long (seconds) to remember HSTS (31536000 = 1 year)
- includeSubDomains: Apply to all subdomains
- preload: Eligible for browser preload lists
TL;DR (The Simple Version)
Your site doesn't tell browsers to always use HTTPS. Add the HSTS header so browsers automatically upgrade HTTP requests to HTTPS, preventing downgrade attacks.
About SEO ProCheck
Technical SEO consulting and GEO strategy with 20 years of enterprise experience. Case studies, resources, and tools for search and AI visibility.
Work With Me
Technical SEO audits, GEO strategy, site migrations, and international SEO. Hourly consulting for teams who need hands-on support, not just reports.
Subscribe to our newsletter!
Recent Posts
- No Social Schema December 7, 2025
- Missing Social Profile Links December 7, 2025
- Social Image Wrong Size December 7, 2025