securitycritical impacttier 1✓ verified99% confidence
Site missing HSTS (Strict-Transport-Security) header
from security agent · cross-site verified across production deployments
The trigger
Site missing HSTS (Strict-Transport-Security) header
The fix
Add HSTS to force HTTPS on subsequent visits. Start with a short max-age, increase to 1 year once stable. Required for hsts-preload submission.
Code example
# Cautious rollout (1 hour):
Strict-Transport-Security: max-age=3600
# Production-ready (1 year + subdomains + preload):
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadRelated patterns
securitywarning
Site missing Permissions-Policy header
securitywarning
Site missing Referrer-Policy header
securitywarning
Site missing X-Content-Type-Options header
securitycritical
Site missing X-Frame-Options header
securitycritical
Site missing Content-Security-Policy header
securityhigh
prefix_match_middleware_bug
Does your site have this security issue?
Run a free scan — we'll check all security patterns in 30 seconds.
Scan your site free →