Well, HSTS header is also a most important header to protect your website from attacks like cookie hijacking, session interruptions, and more. If you are running a WordPress website, then it is the most important thing you should implement and protect your visitors because many shared hosting and PHP-based websites don’t provide you by default activated HSTS Header.
In this guide, I will show you some super simple steps to fix this HSTS header issue on your website. Don’t worry – I’ll also provide you with some awesome tools that will help you check whether your website has HSTS Missing from Https Server header issues or not. Trust me, by the end of this article, you’ll be able to implement HSTS like a pro and make your website more secure.
What You’ll Learn
What is HSTS (HTTP Strict Transport Security)?
let me explain what exactly HSTS is in simple terms. HSTS (HTTP Strict Transport Security) is basically a security mechanism that forces your website to only use secure HTTPS connections instead of regular HTTP. You know how sometimes websites start with “http://” and sometimes with “https://“? HSTS makes sure it’s always the secure “https://” one.
Think of it like this – when you activate HSTS on your website, you’re telling web browsers “Hey, whenever someone wants to access my website, always use the secure HTTPS connection, even if they type HTTP in the URL“. This is super important because HTTPS encrypts all the data that flows between your website and its visitors, making it much harder for hackers to steal sensitive information.
Here’s why it’s so crucial:
- It automatically redirects HTTP to HTTPS in client level
- Prevents downgrade attacks (when hackers try to force your site back to unsecure HTTP)
- Protects your visitors’ sensitive data like login credentials and personal information
- Makes browsers remember to always use HTTPS for your domain
Real talk – without HSTS, even if you have HTTPS set up, visitors might still accidentally connect through unsecure HTTP first, creating a small window where attackers could intercept the connection. HSTS closes this security gap completely!
now you’ve realized how important HSTS is, let’s talk about how to check if your site has HSTS enabled or not.
How to Check HSTS in Your Website?
Well, checking for HSTS is actually pretty simple if your hosting account provides access to HTTP headers section. However, most people use basic hosting plans and aren’t running enterprise-level businesses, which is why they don’t get direct access to these options in their hosting accounts.
To check your website’s HSTS status, there are 2 awesome websites that let you analyze your site directly. First one is httpstatus.io and the second one is securityheaders.com – but I personally recommend you to use the second option, as it provides more detailed security analysis.
1. check http headers from corenexis tools
Go to the security headers checker, enter your website’s URL, and click on the “Check” button. Instantly, you’ll get all the information about your site’s HTTP headers. You can also see which headers are missing and check your website’s HTTP security score. This is a highly beginner-friendly tool that anyone can use effortlessly. Whether you need a detailed report or just a quick analysis, this website is perfect for both situations. It’s reliable, easy to use, and provides accurate results.
2. check http headers from httpstatus.io
Using httpstatus.io is super simple – just go to their website and add your website URL in the input box, then click the “Check Status” button. Your website will be analyzed, and below the response code, you’ll see a dropdown icon. When you click on it, all available headers will show up right there just scroll down.
If you’re a technical person, this site is really the best choice for you as it provides detailed header information. But if you’re not too technical, I recommend you to use the second option, which is securityheaders.com – it’s much more beginner-friendly and easier to understand.
3. check http headers from securityheaders.com
Securityheaders website is super simple and gives your website grade ranking – like an A+ score means your website is highly secure, and a D means you need to strengthen your website’s security protocols.
Just add your website URL and click the scan button.
you need to add the complete URL here – like if your domain is “corenexis.com” but your website opens as “https://corenexis.com“, then you need to add the https:// variant URL.
As you can see in the images above, you’ll get green indicators for all the important headers that are found on your website, and red ones for those that are missing. This makes it super easy to check if the Strict Transport Security header is active on your website or not.
There’s another option to check this using Screaming Frog – if you’re in the SEO field, you probably already know about this tool. Just crawl your website, and in the overview details section on the right, you can see if there’s an error showing “Strict Transport Security missing” as shown in the image below.
How to Add HSTS Header?
⚠️ IMPORTANT: Before implementing HSTS Header, make sure your website has a proper 301 redirect from http to https and a valid SSL certificate installed. Always take a complete backup of your website before making any changes to server headers – this is super important! These are absolutely essential prerequisites – without them, your HSTS implementation won’t work correctly and could even make your website inaccessible to visitors.
For Apache Server
Most websites, including popular CMS platforms like WordPress and Joomla, are typically hosted on Apache servers. That’s why we’ll start with the Apache configuration first.
Adding HSTS header in Apache server is super simple. Just add these lines in your .htaccess file or in your Apache configuration file.
If you are using wordpress then you have already mod_headers.c module just find it and add this code:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"As shown in the image below
If you are running non cms based website just add this complete code in your .htaccess file:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>Don’t worry if this looks complicated – let me break down what each part means:
- max-age=31536000: This tells browsers to remember to use HTTPS for your site for one year (31536000 seconds)
- includeSubDomains: This applies HSTS to all your subdomains too
- preload: This lets browsers know they can add your site to their HSTS preload list
For Nginx Server
If you’re using Nginx, it’s just as easy. Add this line in your server block configuration (usually found in /etc/nginx/sites-available/your-site):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;After adding these headers, just restart your server but it is not necessary:
- For Apache: sudo service apache2 restart
- For Nginx: sudo service nginx restart
Let’s check HSTS Header added or not in your website.
To verify the HSTS header is working correctly, just visit the HTTP header checker websites we discussed earlier in this guide. This will confirm if your HSTS implementation is successful and active on your website.
in security header tool by corenexis: As you can see we have successfully added HSTS header and now we got 80 points “Very Good” score.
in securityheaders.com: As you can see, our website now shows a green flag for HSTS headers, indicating that we’ve successfully implemented the Strict Transport Security header on our website.
In httpstatus.io: As you can see in the image below, our website now shows the Strict Transport Security header in the results, confirming our implementation was successful.
Potential Issues After Adding HSTS Header
If you’ve already implemented HSTS on your website, you might face these problems:
- SSL Certificate Issues
- If your SSL certificate expires, your site will become completely inaccessible
- Users will see strict browser security warnings that they can’t bypass
- Even if you try to access via HTTP, browsers will force HTTPS
- Browser Caching Problems
- Once HSTS is active, browsers remember it for the entire max-age period
- If you need to temporarily disable HTTPS, you can’t – browsers will refuse HTTP
- Clearing browser cache won’t help – HSTS settings persist
- Subdomain Access Problems
- If using ‘includeSubDomains’, any subdomain without valid SSL will stop working
- Test subdomains, dev environments, or admin panels might become inaccessible
- Moving subdomains to new servers can cause issues if SSL isn’t set up first
Conclusion
Adding HSTS headers is super important for your website’s security, and now you know exactly how to implement it! Just remember to take a backup before making any changes, and make sure you have a valid SSL certificate installed. If you face any issues during implementation, simply contact your hosting support team or drop a comment below – we’re here to help.
Leave a Comment