2 subdomain doesn’t support HSTS means that two specific websites linked to your main domain haven’t activated a security feature called HSTS (HTTP Strict Transport Security). This feature essentially tells web browsers always to use a secure HTTPS connection when accessing those subdomains, protecting users from potential attacks like eavesdropping or data manipulation.
What are 2 Subdomains that don’t Support HSTS?
A warning appears in SEMRush that a website is not enforcing HTTP Strict Transport Security (HSTS) indicating that the site is not forcing web browsers to use secure communications (HTTPS)”
HSTS is an HTTP header that includes all subdomains, even those used solely on intranets. If a user clicks an http:// link or types in an http:// URL, HSTS causes the browser to rewrite the URL to use https:// before initiating the connection.
How to Fix 2 subdomain doesn’t support HSTS
HSTS is necessary to prevent downgrade attacks, even if plain HTTP connections are unsupported on the server. It can also help protect a site against cookie hijacking and protocol attacks.
To fix the “HSTS Missing From HTTPS Server” error, add the HSTS security in the .htaccess/header to your server. Here is the code.
<IfModule mod_headers.c> <If "%{REQUEST_SCHEME} == 'https' || %{HTTP:X-Forwarded-Proto} == 'https'">
Header set Strict-Transport-Security "max-age=31536000"
</If>
</IfModule>
If you’re using Cloudflare, you can enable HSTS in their SSL tab.
To enable or correct HSTS in IIS, you can:
- Open the IIS Manager on your server
- Select your website in the Connections pane
- Double-click HTTP Response Headers in the website’s features pane
- Click Add in the Actions pane and enter “Strict-Transport-Security” as the name