Loadingβ¦
Force browsers to always use HTTPS for your site, closing the SSL-stripping window.
Even with an HTTPS redirect, the very first request can go over HTTP before the redirect fires β a window for SSL-stripping attacks. HSTS tells the browser to use HTTPS for your domain from then on, removing that window entirely.
Strict-Transport-Security with a long max-age, then increase it and consider preload.# No Strict-Transport-Security headerStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAdd the header in your host's panel, .htaccess, or a security plugin (e.g., "Really Simple SSL" Pro).
Add it under headers() in next.config.js, or at the CDN.
Run a free audit and get a prioritized fix list with auto-generated code.
Run a free audit