HSTS Header

Checks for HTTP Strict Transport Security header


Rule ID	`security/hsts`
Category	Security
Scope	Per-page
Severity	warning
Weight	6/10

Solution

HSTS forces browsers to only connect via HTTPS, preventing downgrade attacks. Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains. Start with a short max-age (1 day) to test, then increase to 1 year. The includeSubDomains directive protects all subdomains. Consider preloading via hstspreload.org for maximum protection.

Enable / Disable

Disable this rule

squirrel.toml

[rules]
disable = ["security/hsts"]

Disable all Security rules

squirrel.toml

[rules]
disable = ["security/*"]

Enable only this rule

squirrel.toml

[rules]
enable = ["security/hsts"]
disable = ["*"]

Getting Started

CLI

Concepts

CLI Reference

Rules Reference

Solution

Enable / Disable

Disable this rule

Disable all Security rules

Enable only this rule

Getting Started

CLI

Concepts

CLI Reference

Rules Reference

​Solution

​Enable / Disable

​Disable this rule

​Disable all Security rules

​Enable only this rule

Solution

Enable / Disable

Disable this rule

Disable all Security rules

Enable only this rule