Missing HSTS header

The site did not return a `Strict-Transport-Security` header on the HTTPS response. Without HSTS, browsers are more exposed to downgrade and SSL stripping scenarios, especially on first visit or when users follow insecure links.

What this usually means

• No HTTPS policy memoryThe browser is not instructed to keep using HTTPS for future visits.
• Unsafe to preload blindlyHSTS should be added deliberately. `includeSubDomains` and `preload` are only safe when every covered hostname is HTTPS-ready.

Fix path

• CloudflareEnable HSTS in `SSL/TLS` -> `Edge Certificates`. Start with a deliberate `max-age`, then add `includeSubDomains` or `preload` only after verifying all covered hostnames are HTTPS-only.
• NginxAdd `add_header Strict-Transport-Security "max-age=31536000" always;` on the HTTPS site. Extend the policy only when subdomains are ready.
• ApacheAdd `Header always set Strict-Transport-Security "max-age=31536000"` on HTTPS responses. Add `includeSubDomains` later if appropriate.
• IISAdd a `Strict-Transport-Security` custom header on the HTTPS site and validate the policy before expanding it to subdomains.
• CloudFront / CDN edgeAttach a response headers policy that adds `Strict-Transport-Security`, or emit the header from the origin if you want application-level control.

Safe rollout advice

• Start smaller if neededIf you are not sure every subdomain is HTTPS-only, start with `max-age` alone and without `includeSubDomains`.
• Preload lastOnly add `preload` after meeting the preload requirements and deciding that the domain should be locked to HTTPS long term.

Verify after change

• Re-run TLS AdvisorThe HSTS policy section should turn green and show the returned header value.
• Check exact headerConfirm the response includes the intended `max-age` and any optional directives you chose.