Seeing the “HSTS Missing From HTTPS Server” error when trying to access a website can be alarming for site owners. It signals that your site is exposing users to potential security risks by failing to enforce HTTPS encryption.
While unnerving, the good news is that fixing this cryptic error message is straightforward for those willing to harden their web security stance. Implementing the HTTP Strict Transport Security (HSTS) policy prevents the “HSTS Missing” error by ensuring browsers only interact with your website over encrypted HTTPS connections.
In this comprehensive guide, we’ll demystify the cause of the error, walk through how to properly enable HSTS, provide configuration best practices, and explore troubleshooting suggestions for a bulletproof deployment. Equipped with the right information, you can confidently add HSTS to your web server and rest assured knowing users are connecting to your site in a secure and private way.
What Causes the “HSTS Missing” Error?
The HSTS header tells browsers that the website should only be accessed over HTTPS, not insecure HTTP. It helps prevent downgrade attacks and enforces secure connections.
When a browser that supports HSTS tries to access a site over HTTP and doesn’t receive the HSTS header, it will show the “HSTS Missing From HTTPS Server” error to indicate the issue.
There are a few common causes of this error:
- The HSTS header is not enabled on the HTTPS server. This is the most likely cause if you have never set up HSTS before.
- The HSTS header is set up incorrectly or contains invalid syntax.
- A misconfigured load balancer, reverse proxy, or CDN is stripping out the HSTS header before it reaches the browser.
There are multiple hostnames for the site and HSTS is only enabled on one of them.
How to Fix “HSTS Missing” Error
Fixing the “HSTS Missing” error requires enabling and properly configuring the HTTP Strict Transport Security header. Here are the steps to resolve this issue:
1. Confirm HSTS Header is Not Set
First, verify that the HSTS header is not already present on your HTTPS server. You can use a tool like SSL Labs Server Test to analyze the headers on your server.
If the HSTS header is already enabled, double check that it is valid and consistent across all of your hostnames.
2. Enable HSTS Header
If the HSTS header is missing, add it to your HTTPS server configuration. The basic syntax is:
This sets the HSTS policy to expire after one year (31536000 seconds). Adjust the max-age value based on your preference.
The process for adding headers depends on your server setup:
- Apache – Use the Header directive in your config file.
- Nginx – Add the add_header directive.
- IIS – Configure through the HTTP Response Headers UI.
Cloud Provider (AWS, GCP, Azure) – Add the header through a load balancer rule or CDN configuration.
3. Include Subdomains (Optional)
For broader HSTS coverage, you can include subdomains in the policy by adding ; includeSubDomains to the header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
This applies HSTS to both example.com and sub.example.com.
4. Set Preload Flag (Optional)
Including the preload flag will allow you to submit your domain for inclusion in browser preload lists:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
This enables HSTS by default for the first visit rather than requiring an initial HTTPS connection. Browsers like Chrome and Firefox maintain a preloaded HSTS site list.
5. Test and Verify
Once you add the HSTS header, test it out by visiting your site over HTTP and checking for the error again. You can also re-run a report on SSL Labs to confirm the header is present and valid.
As you make changes, allow some time for the updated HSTS policy to propagate to browsers before retesting.
HSTS Best Practices
Here are some additional tips for applying a robust, security-focused HSTS policy:
- Set a long max-age – Use a value of at least 1 year (31536000 seconds) and consider longer durations like 2-3 years for better security.
- Include subdomains – Apply HSTS to all current and future subdomains to prevent insecure connections.
- Enable preloading – Preload your domain for faster browser adoption of HSTS and maximum coverage.
- Redirect HTTP to HTTPS – Implement a permanent 301 redirect from HTTP to HTTPS to further enforce secure connections.
- Monitor header validity – Periodically scan your headers to check the HSTS policy and ensure it remains intact over time.
- Load test before go-live – Test your server setup under heavy traffic loads before implementing HSTS to identify any issues.
- Plan for outages and expiry – Have a contingency plan in place if your HTTPS service becomes unavailable, as browsers will reject HTTP during outages.
By following security best practices like these, you can implement HSTS in a robust way to maximize the security and integrity of your website connections.
Troubleshooting HSTS Issues
If you are still encountering issues after adding the HSTS header, here are some troubleshooting tips:
- Confirm the HSTS policy is consistent across all hostnames and subdomains for your site.
- Check for any proxy servers, load balancers, or CDNs that could be stripping the header before it reaches browsers. Add HSTS at the origin server.
- Review server logs to identify any errors occurring when adding the header.
- Try adding the header directly in your application code (e.g. .htaccess file) as a workaround if needed.
- For sites behind Cloudflare, verify that “HTTP Strict Transport Security (HSTS)” is enabled under Crypto.
- As a temporary fix, access the site in Chrome using “bad idea” before the hostname to bypass HSTS.
- If preloading, check that you have SSL certificates covering all subdomains and the base domain before submitting.
Proactively troubleshooting and monitoring your HSTS implementation helps identify and fix pain points quickly.
Fixing the “HSTS Missing From HTTPS Server” message leads to a more secure site aligned with modern web standards. By properly configuring the HTTP Strict Transport Security header, you can ensure browsers only interact with your website over encrypted HTTPS connections. While HSTS is not mandatory, it offers protection against common vulnerabilities and attacks.
Take the time to apply HSTS best practices, including longer durations, preloading, and broader subdomain coverage for robust security. Test it extensively and have a plan to handle potential disruptions from HSTS or certificate outages. With this secure policy in place, you can confidently transact and communicate over the web knowing your website traffic is protected.