No HSTS header

HSTS stands for HTTP Strict Transport Security. It is a header your web server sends to browsers instructing them to only ever connect to your site over secure HTTPS — never over unencrypted HTTP. This header is missing. Without it, a visitor's very first request can be sent over insecure HTTP before being redirected to HTTPS. During that brief moment, the connection can be intercepted by someone on the same network — a coffee shop Wi-Fi attack, for example. Add a Strict-Transport-Security header with a long max-age (at least one year, written as 31536000 seconds) and include the includeSubDomains directive. Do this only after confirming that HTTPS works correctly across your entire site.

Why this matters

Without it, a visitor's very first request can be sent over insecure HTTP before being redirected to HTTPS. During that brief moment, the connection can be intercepted by someone on the same network — a coffee shop Wi-Fi attack, for example.

How to fix it

Add a Strict-Transport-Security header with a long max-age (at least one year, written as 31536000 seconds) and include the includeSubDomains directive. Do this only after confirming that HTTPS works correctly across your entire site.