1.6 HTTPS / security / infrastructureLowInferred

HSTS header missing

Without HSTS, the first request to a site can still go over insecure HTTP before redirecting. The Strict-Transport-Security header tells browsers to always use HTTPS from the start.

What it is

No Strict-Transport-Security header.

Why it matters

Minor; leaves a window for downgrade on first visit.

How to fix it

Add HSTS once HTTPS is stable.

How to find it on your site

  1. Check response headers for Strict-Transport-Security with curl -I.
  2. Confirm HTTPS is fully working before enabling it.
  3. Add the HSTS header with a sensible max-age.
  4. Consider preloading once you are confident it is permanent.

Cross-reference to ranking and citation factors

HSTS is a security hardening measure with little direct ranking effect, but it closes a small insecure-first-request gap.

Impact

Low. Inferred (security best practice).

Evidence

HSTS strengthens HTTPS enforcement. Google Search Central, Secure your site with HTTPS

Certificate name mismatchMixed content warnings