HSTS Header
Checks for Strict-Transport-Security header — blocks HTTPS downgrade attacks.
What this check measures
We read the `Strict-Transport-Security` HTTP response header. Must have max-age ≥ 1 year (31536000 seconds) and ideally includeSubDomains and preload.
Why it matters
HSTS tells browsers: never connect to this domain over HTTP, ever. Blocks downgrade attacks on hostile networks (airport wifi, corporate proxies). Once a browser sees HSTS, users are safe for the max-age duration.
How our audit detects it
Parse response headers for Strict-Transport-Security. Validate max-age value and presence of includeSubDomains + preload directives.
Typical findings
- error_outlineNo HSTS header at all — HTTPS works but downgrade still possible.
- error_outlinemax-age=300 (5 minutes) — short max-age defeats the purpose.
- error_outlineNo includeSubDomains — subdomains still vulnerable.
How to fix
Add `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`. Submit domain at hstspreload.org once all subdomains serve HTTPS. Takes effect on first visit.
Copy-paste fix prompt for your stack
Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44
Frequently asked questions
Can HSTS lock me out?expand_more
Want this checked on your site?
Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.
Scan my siteRelated checks
HTTPS Enabled
Checks that the site serves over HTTPS and redirects HTTP to HTTPS.
SecurityTLS Version
Checks that the server uses TLS 1.2 or higher — older versions are broken.
SecurityMixed Content
Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.
SecuritySSL Certificate
Checks that the SSL certificate is valid, not expired, and not expiring soon.