HSTS (Strict-Transport-Security) tells browsers that already know your site to NEVER attempt a plain-HTTP connection again, even if a user types http:// or clicks an old http:// link — closing the specific window where a network attacker could intercept that very first request before a redirect to HTTPS happens.
HSTS forces browsers to only ever connect to your site over HTTPS, closing a window attackers use to downgrade connections. It is a modern security baseline Google's Best Practices audit checks.
The Strict-Transport-Security header is present with a meaningful max-age, ideally including subdomains.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →