Security: Missing HSTS Header

back to issues overview

Missing HSTS Header

URLs that are missing the HSTS response header. The HTTP Strict-Transport-Security response header (HSTS) instructs browsers that it should only be accessed using HTTPS, rather than HTTP.

If a website accepts a connection to HTTP, before being redirected to HTTPS, visitors will initially still communicate over HTTP.

The HSTS header instructs the browser to never load over HTTP and to automatically convert all requests to HTTPS.

How to Analyse in the SEO Spider

Use the ‘Security’ tab and ‘Missing HSTS Header’ filter to view these URLs and export all URLs using the ‘Export’ button.

What Triggers This Issue

This issue is triggered when a URL is missing the HSTS response header.

For example:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

How To Fix

The HSTS header should be used across all pages to instruct the browser that it should always request pages via HTTPS, rather than HTTP.

Further Reading

Back to top