How To Fix the “HSTS Missing From HTTPS Server” Error

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. When a server has HSTS enabled, it informs the browser to only interact with it over HTTPS. The “HSTS Missing From HTTP Server” error indicates that this policy is not correctly configured on your server. Here’s how to fix it:

1. Understanding HSTS

HSTS is implemented via an HTTP response header. When a browser receives this header from a server, it will only communicate with the server over HTTPS for a specified period. The header looks like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

  • max-age: Specifies the time, in seconds, that the browser should remember that the site is only accessible via HTTPS. For example, 31536000 seconds is equivalent to 1 year.

  • includeSubDomains: Optional directive that applies this policy to all subdomains of the site.

2. Prerequisites

Before enabling HSTS, ensure:

  • Your website is fully accessible via HTTPS.

  • All HTTP pages are redirected to their HTTPS counterparts.

  • You have a valid SSL/TLS certificate installed on your server.

3. Edit the Nginx Configuration File

You need to edit your Nginx configuration file to add the HSTS header. This configuration file is typically located in one of the following directories:


4. Add the HSTS Header

4.1 Open the Configuration File:

Open the configuration file for your site using a text editor. For example:

sudo nano /etc/nginx/sites-enabled/your-sitename.conf

4.2 Modify the Server Block:

Locate the server block handling HTTPS traffic. It typically looks like this:

server {

listen 443 ssl;


ssl_certificate /path/to/your/certificate.crt;

ssl_certificate_key /path/to/your/private.key;

# Add the HSTS header

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Other configuration directives…


4.3 Add the HSTS Header:

Within the server block, add the add_header directive:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Here’s an example of what the server block might look like after adding the HSTS header:

server {

listen 443 ssl;


ssl_certificate /path/to/your/certificate.crt;

ssl_certificate_key /path/to/your/private.key;

# Add the HSTS header

add_header Strict-Transport-Security "max-age=31536000;

includeSubDomains" always;

location / {

# Your site configuration...



5. Test the Configuration

Before applying the changes, it’s essential to test your Nginx configuration to ensure there are no syntax errors.

Run the following command:

sudo nginx -t

If the test is successful, you should see output similar to:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

6. Reload Nginx

After verifying the configuration, reload Nginx to apply the changes:

sudo systemctl reload nginx

7. Verify the HSTS Header

Finally, verify that the HSTS header is being sent correctly. You can do this using various online tools or by checking the response headers directly.

Using curl:

Run the following command:

curl -I

Look for the Strict-Transport-Security header in the response:

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)

Date: Thu, 30 May 2024 12:00:00 GMT

Content-Type: text/html

Content-Length: 612

Last-Modified: Wed, 29 Apr 2020 15:00:00 GMT

Connection: keep-alive

ETag: "5ea9cd00-264"

Strict-Transport-Security: max-age=31536000; includeSubDomains


→ By adding the HSTS header to your Nginx configuration, you enforce strict transport security, ensuring that all communications with your server are conducted over HTTPS. This significantly enhances the security of your website by protecting it from protocol downgrade attacks and cookie hijacking.

Last updated