How to Resolve 'HSTS Missing from HTTPS Server' Error on Your Website

When it comes to website security, just having HTTPS in your URL bar isn’t enough anymore. These days, it’s the baseline, not the finish line. Installing an SSL certificate is a solid first step, but if you've come across the warning "HSTS Missing from HTTPS Server", it means there's still a gap in your defenses that hackers could take advantage of. In this post, we’ll break down what that error actually means, why it’s something you shouldn’t ignore, and how to fix it, one step at a time. What Does "HSTS Missing from HTTPS Server" Really Mean? If you're seeing that error, it means your server isn’t sending a specific HTTP response header called Strict-Transport-Security. This header is what activates HTTP Strict Transport Security, or HSTS for short. Here’s the short version: HSTS tells web browsers, "Hey, this site should only ever load over HTTPS." Even if someone types in the non-secure http:// version of your URL, the browser will automatically upgrade it to https:// — no exceptions, no workarounds. Without HSTS in place, that automatic safety net disappears. And that leaves room for bad actors to sneak in with tricks like man-in-the-middle attacks or SSL stripping, especially on public Wi-Fi or unsecured networks. Without this directive, your website is susceptible to threats like: Man-in-the-Middle (MITM) attacks SSL stripping Session hijacking Even if your SSL certificate is valid, a missing HSTS header can allow attackers to downgrade a user’s connection from HTTPS to HTTP, exposing sensitive data. Why Is HSTS Important? Enhanced Security HSTS ensures that all future visits to your website occur strictly over HTTPS. Once a browser sees the HSTS header, it will automatically upgrade all requests, preventing insecure HTTP access. SEO and Performance Boost Search engines like Google prefer HTTPS-secured websites. Enabling HSTS can slightly improve load time by eliminating unnecessary redirects from HTTP to HTTPS. Blocks Downgrade Attacks SSL stripping attacks work by intercepting HTTP traffic and redirecting users to insecure versions of a site. HSTS mitigates this by forcing secure connections from the browser level. Common Risks If HSTS Is Missing MITM Attacks – An attacker can intercept and alter data transferred between the browser and the server. Cookie Hijacking – Session cookies transferred over HTTP can be captured and reused maliciously. Data Leakage – Sensitive information (passwords, personal info) may be sent in plaintext. Security Warnings – Security audits or tools like Mozilla Observatory, SecurityHeaders.com, or Qualys SSL Labs will flag this as a vulnerability. How to Fix 'HSTS Missing from HTTPS Server' Error Let’s go through the five key steps to fix this error and lock down your website properly. Step 1: Backup Your Website Before making any server-level changes, create a complete backup of your site files and database. Why it matters: Adding HSTS incorrectly can lock out users if done improperly. A misconfigured server rule might cause redirects to fail or break certain URLs. Use your hosting panel (like cPanel or Plesk) or a plugin if you’re using WordPress to back up your site completely. Step 2: Redirect HTTP to HTTPS Using a 301 Redirect HSTS only works after HTTPS is in place. Make sure all HTTP traffic is redirected to HTTPS. Apache Configuration (via .htaccess): apache RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Nginx Configuration: nginx server { listen 80; server_name yourdomain.com www.yourdomain.com; return 301 https://yourdomain.com$request_uri; } This ensures no traffic is served over HTTP before HSTS takes effect. Also read: How to Install SSL Certificate on NGINX Web Server? Step 3: Add the HSTS Header to Your Server The core fix is adding the Strict-Transport-Security header to your HTTPS server response. Apache: In your Apache .conf or .htaccess file, add: apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Nginx: Inside the server block for HTTPS (usually listen 443), add: nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; Explanation of the directives: max-age=31536000: Tells browsers to remember the rule for 1 year. includeSubDomains: Applies HSTS to all subdomains. preload: Prepares the site for inclusion in browser preload lists. After saving changes, restart your web server: # Apache sudo systemctl restart apache2 # Nginx sudo systemctl restart nginx Step 4: Add Your Site to the HSTS Preload List Google maintains a preload list built into browsers like Chrome, Firefox, Edge, and Safari. If your site is on this list, HSTS is enforced even before the first visit. Requirements to be eligible: Serve a valid SSL ce

May 8, 2025 - 12:13

How to Resolve 'HSTS Missing from HTTPS Server' Error on Your Website

When it comes to website security, just having HTTPS in your URL bar isn’t enough anymore. These days, it’s the baseline, not the finish line. Installing an SSL certificate is a solid first step, but if you've come across the warning "HSTS Missing from HTTPS Server", it means there's still a gap in your defenses that hackers could take advantage of.

In this post, we’ll break down what that error actually means, why it’s something you shouldn’t ignore, and how to fix it, one step at a time.

What Does "HSTS Missing from HTTPS Server" Really Mean?

If you're seeing that error, it means your server isn’t sending a specific HTTP response header called Strict-Transport-Security. This header is what activates HTTP Strict Transport Security, or HSTS for short.

Here’s the short version: HSTS tells web browsers, "Hey, this site should only ever load over HTTPS." Even if someone types in the non-secure http:// version of your URL, the browser will automatically upgrade it to https:// — no exceptions, no workarounds.

Without HSTS in place, that automatic safety net disappears. And that leaves room for bad actors to sneak in with tricks like man-in-the-middle attacks or SSL stripping, especially on public Wi-Fi or unsecured networks.

Without this directive, your website is susceptible to threats like:

Man-in-the-Middle (MITM) attacks
SSL stripping
Session hijacking

Even if your SSL certificate is valid, a missing HSTS header can allow attackers to downgrade a user’s connection from HTTPS to HTTP, exposing sensitive data.

Why Is HSTS Important?

Enhanced Security

HSTS ensures that all future visits to your website occur strictly over HTTPS. Once a browser sees the HSTS header, it will automatically upgrade all requests, preventing insecure HTTP access.

SEO and Performance Boost

Search engines like Google prefer HTTPS-secured websites. Enabling HSTS can slightly improve load time by eliminating unnecessary redirects from HTTP to HTTPS.

Blocks Downgrade Attacks

SSL stripping attacks work by intercepting HTTP traffic and redirecting users to insecure versions of a site. HSTS mitigates this by forcing secure connections from the browser level.

Common Risks If HSTS Is Missing

MITM Attacks – An attacker can intercept and alter data transferred between the browser and the server.
Cookie Hijacking – Session cookies transferred over HTTP can be captured and reused maliciously.
Data Leakage – Sensitive information (passwords, personal info) may be sent in plaintext.
Security Warnings – Security audits or tools like Mozilla Observatory, SecurityHeaders.com, or Qualys SSL Labs will flag this as a vulnerability.

How to Fix 'HSTS Missing from HTTPS Server' Error

Let’s go through the five key steps to fix this error and lock down your website properly.

Step 1: Backup Your Website

Before making any server-level changes, create a complete backup of your site files and database.

Why it matters:

Adding HSTS incorrectly can lock out users if done improperly.
A misconfigured server rule might cause redirects to fail or break certain URLs.

Use your hosting panel (like cPanel or Plesk) or a plugin if you’re using WordPress to back up your site completely.

Step 2: Redirect HTTP to HTTPS Using a 301 Redirect

HSTS only works after HTTPS is in place. Make sure all HTTP traffic is redirected to HTTPS.

Apache Configuration (via .htaccess):

apache

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx Configuration:

nginx

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://yourdomain.com$request_uri;
}

This ensures no traffic is served over HTTP before HSTS takes effect.

Also read: How to Install SSL Certificate on NGINX Web Server?

Step 3: Add the HSTS Header to Your Server

The core fix is adding the Strict-Transport-Security header to your HTTPS server response.

Apache:
In your Apache .conf or .htaccess file, add:

apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx:

Inside the server block for HTTPS (usually listen 443), add:

nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Explanation of the directives:

max-age=31536000: Tells browsers to remember the rule for 1 year.
includeSubDomains: Applies HSTS to all subdomains.
preload: Prepares the site for inclusion in browser preload lists.

After saving changes, restart your web server:

# Apache

sudo systemctl restart apache2

# Nginx

sudo systemctl restart nginx

Step 4: Add Your Site to the HSTS Preload List

Google maintains a preload list built into browsers like Chrome, Firefox, Edge, and Safari. If your site is on this list, HSTS is enforced even before the first visit.

Requirements to be eligible:

Serve a valid SSL certificate.
Redirect HTTP to HTTPS with a 301.
Serve all subdomains over HTTPS.
Include the HSTS header on the base domain with max-age=31536000; includeSubDomains; preload.

Once these conditions are met, submit your domain at:
https://hstspreload.org

Approval usually takes a few weeks, but once listed, your domain is permanently protected at the browser level.

Step 5: Verify HSTS Is Working

After setup, you need to confirm that the HSTS header is present and correctly configured.

Use online tools:

SSL Labs Test

Look for the Strict-Transport-Security header in the response and ensure it shows something like:

lua

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

You can also inspect it manually:

Open your site in Chrome
Right-click > Inspect > Network tab
Reload the page and click the domain entry
Look under "Response Headers"

Bonus Tips to Consider:

Don’t enable preload until you’re 100% sure everything is configured correctly.
Avoid short max-age values like 300 or 1000 seconds; browsers may ignore them for preload.
If you’re using a CDN or reverse proxy (like Cloudflare), make sure they also pass the HSTS header correctly.

Final Thoughts

Fixing the “HSTS Missing from HTTPS Server” error is more than just clearing an alert — it’s a critical step in modern website security. Enabling HSTS enforces HTTPS connections, reduces redirect delays, prevents data theft, and boosts trust with users and search engines alike.

While it may seem technical, the setup process is relatively straightforward if you follow the steps carefully. By backing up your site, setting up proper redirects, and configuring your server headers correctly, you’ll patch this vulnerability for good.