ServerRecords

Help & Troubleshooting

HSTS

What this is

The Strict-Transport-Security header tells browsers to only ever contact your site over HTTPS for max-age seconds, eliminating the brief unprotected window on http:// requests that attackers can exploit.

How to read your result

Healthy: the header present on HTTPS responses with max-age of at least a year (31536000), ideally includeSubDomains. The header on HTTP responses is ignored by browsers — it must be served over HTTPS.

Common problems and how to fix them

No HSTS header

How it shows up: Every first visit and every typed http:// URL makes one unprotected request that a network attacker can intercept and keep on plain HTTP.

How to fix it: Add Strict-Transport-Security: max-age=31536000; includeSubDomains at the web server or CDN. Start with a shorter max-age (e.g. 86400) if you are unsure every subdomain serves HTTPS, then raise it.

max-age too short

How it shows up: Scanners score the site down; protection lapses for infrequent visitors.

How to fix it: Raise max-age to at least 31536000 (one year) once HTTPS is stable everywhere the policy covers.

includeSubDomains broke an HTTP-only subdomain

How it shows up: Some internal or legacy subdomain became unreachable for anyone who visited the main site — browsers force HTTPS on it.

How to fix it: Either serve that subdomain over HTTPS (best) or remove includeSubDomains and wait for cached policies to expire — which takes as long as the old max-age. This is why includeSubDomains deserves an audit first.

Run a look up for this record