Strict-Transport-Security
The Strict-Transport-Security (HSTS) header tells browsers to only connect to your site via HTTPS, preventing protocol downgrade attacks. SaaSalyst checks whether your server sends this header, detecting a missing security control that leaves users vulnerable to man-in-the-middle attacks.
What SaaSalyst Checks
SaaSalyst inspects the HTTP response headers from your server for the Strict-Transport-Security header. The scanner checks for the header's presence in the response — if found, the check passes; if absent, it triggers a warning.
Why This Matters
Even with HTTPS enabled, users who type your URL without 'https://' will initially connect over HTTP before being redirected. During this brief window, an attacker can intercept the connection. HSTS eliminates this vulnerability by telling browsers to always use HTTPS.
HSTS is recommended by OWASP, NIST, and most security frameworks. Enterprise security audits specifically check for this header.
Once set, the header persists in the user's browser for the specified duration, meaning even bookmarked HTTP links automatically upgrade to HTTPS.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Add the Strict-Transport-Security header to your server responses: Strict-Transport-Security: max-age=31536000; includeSubDomains.
- For Vercel deployments, add the header in vercel.json or next.config.js headers configuration.
- Start with a short max-age (e.g., 300 seconds) for testing, then increase to 31536000 (1 year) once confirmed working.
- Consider adding the includeSubDomains directive to protect all subdomains, and preload to submit to the browser HSTS preload list.
Frequently Asked Questions
How does SaaSalyst check for HSTS?
SaaSalyst inspects your server's HTTP response headers for the Strict-Transport-Security header. If present, the check passes; if absent, it triggers a warning.
What does the HSTS header do?
HSTS tells browsers to always use HTTPS when connecting to your site, preventing protocol downgrade attacks. SaaSalyst checks for it because it's a critical security header recommended by OWASP.
How does missing HSTS affect my Business Readiness Score?
SaaSalyst rates HSTS as high severity in Security & Infrastructure. Missing it weakens your HTTPS security and is specifically checked during enterprise security audits.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for Strict-Transport-Security along with 40+ other business readiness signals.
Scan Your App