CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.
Use the following guides to set the correct header enabling HSTS.
With Let's Encrypt it is very easy to enable HSTS. When creating a new certificate just ad the
--hsts flag. If your certificates are already generated by Let's Encrypt, just run the same command and choose "Attempt to reinstall this existing certificate" as the first option. This will reuse your certificate and just enable HSTS stapling.
On Apache you need to update your SSL configuration to include the correct
Header directives. Add this to the virtual host configuration in
On Nginx you need to update your SSL configuration which is usually located at
/etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or
/etc/nginx/conf.d/nginx.conf (RHEL / CentOS) to include the correct header with the add_header directives: