Will It Vibe logoWill It Vibe?
WEBSEC-007Medium severity-8 points

HSTS disabled or max-age of zero

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Strict-Transport-Security is turned off (hsts: false) or set to max-age=0, leaving users open to protocol-downgrade and SSL-stripping attacks.

Why it matters

HSTS tells browsers to only reach your site over HTTPS. With hsts: false or max-age=0 that instruction is withdrawn, so the first request each visit can go over plain HTTP and be intercepted or downgraded. This is exactly the window an SSL-stripping attacker on the network needs.

How to fix it

Enable HSTS with a real max-age (start around a few weeks, then raise toward a year once you are confident). Include subdomains only when every subdomain serves HTTPS. Consider preload once the policy is stable. In helmet this is the hsts option with maxAge set; make sure the site is fully served over HTTPS first so you do not lock users out.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks