Seoxpert.io
Get started
mediumSecurity

HSTS max-age Too Short

Strict-Transport-Security max-age is set below 1 year, reducing HTTPS security and HSTS preload eligibility.

By Seoxpert Editorial · Published

Why it matters

A short HSTS max-age weakens HTTPS protection, making users vulnerable to downgrade attacks. Google requires a 1-year minimum for HSTS Preload List inclusion, which can affect site trust and SEO.

Impact

Sites remain susceptible to man-in-the-middle attacks and cannot be added to the HSTS Preload List.

How it's detected

The crawler inspects HTTP response headers for Strict-Transport-Security and flags any max-age value below 31536000 seconds.

Common causes

  • Misconfigured web server security headers
  • Use of default or example configurations with low max-age
  • Unawareness of HSTS Preload List requirements
  • Testing shorter durations before production deployment

How to fix it

Update your web server configuration to set 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' on all HTTPS responses. This ensures compliance with HSTS Preload List requirements and strengthens HTTPS security. Remember to include 'includeSubDomains' and 'preload' directives if you intend to submit your site for preload.

Code examples

Incorrect (Too Short)

add_header Strict-Transport-Security "max-age=86400; includeSubDomains; preload" always;

Correct (1 Year)

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Incorrect (Too Short)

Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"

Correct (1 Year)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

FAQ

Why does HSTS require a max-age of at least 1 year for the preload list?

A 1-year max-age ensures persistent protection against downgrade attacks and meets browser preload requirements.

Will increasing max-age to 1 year affect existing users?

It only extends the period browsers enforce HTTPS; it does not negatively impact users.

Is it safe to include 'includeSubDomains' and 'preload' in the header?

Yes, if all subdomains support HTTPS. Otherwise, configure subdomains first before enabling these directives.

Can I test HSTS with a shorter max-age before setting it to 1 year?

Yes, but remember to update to 1 year before submitting for preload or deploying to production.

Found this issue on your site?

Run a scan to see if HSTS max-age Too Short affects your pages.

Scan my website →