Strict-Transport-Security (HSTS) Header missing

Without an HSTS header, the first request a visitor makes can be sent over plain HTTP, leaving them open to SSL-stripping and man-in-the-middle downgrade attacks before the HTTPS redirect ever fires.

warning Impact: medium HSTS_MISSING atlookup team 2 min read Updated Jun 15, 2026

Why it matters

Without an HSTS header, the first request a visitor makes can be sent over plain HTTP, leaving them open to SSL-stripping and man-in-the-middle downgrade attacks before the HTTPS redirect ever fires. HSTS instructs browsers to connect only over HTTPS for a set duration.

Schedule a fix in your next sprint. Warnings won't block your site but they consistently leave performance on the table. Estimated SEO impact: medium — measurable effect on click-through or relevance.

How to fix

Send the header on HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains
Start with a shorter max-age while testing, then raise to one year
Only add "preload" once you are certain every subdomain supports HTTPS

Common causes

If the rule is firing across many pages, the root cause is almost always one of these:

Mixed-content sub-resources from before HTTPS migration that escaped the rewrite.
CDN or upstream proxy strips a security header that was set at the origin.
Legacy redirects send HTTPS traffic through HTTP first.
Test/staging hostnames leak into production HTML via hard-coded URLs.

Anti-patterns to avoid

Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:

Mixed HTTP/HTTPS resources after migration.
Self-signed or expired certificates on production.
Long-lived secrets in client-rendered HTML or JS bundles.

How atlookup detects this

Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for strict-transport-security (hsts) header missing are flagged on the report.

If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.

Tools to verify the fix

Once you've applied the fix, double-check with these external validators:

SSL Labs — Grades certificate + protocol configuration.
securityheaders.com — Audits response headers against best practice.

Frequently asked questions

Why does Strict-Transport-Security (HSTS) Header Missing matter for SEO?

How do I fix strict-transport-security (hsts) header missing?

Send the header on HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Start with a shorter max-age while testing, then raise to one year Only add "preload" once you are certain every subdomain supports HTTPS

Is this a critical SEO issue?

How does atlookup detect strict-transport-security (hsts) header missing?

How long does it take to fix?

5–15 minutes per page. Most teams batch similar issues across templates so the per-page time goes down at scale.

Strict-Transport-Security (HSTS) Header missing

Why it matters

How to fix

Common causes

Anti-patterns to avoid

How atlookup detects this

Tools to verify the fix

Frequently asked questions

Related issues