Add the HSTS security header

HSTS forces browsers to use HTTPS before the first request, closing a real downgrade/man-in-the-middle window. It is a baseline security-posture signal trust scanners and some buyers check.

How to fix

Send Strict-Transport-Security on HTTPS responses with a long max-age once you are confident every subdomain is HTTPS-only (the preload directive is irreversible — opt in deliberately).

Strict-Transport-Security: max-age=31536000; includeSubDomains

---

Detected automatically by the SEOlvl SEO Health audit (check hsts). Run a free audit or see the full issue library.