HomeFix guides → Strict-Transport-Security (NIS2 technical measure)

nis2

How to fix: Strict-Transport-Security (NIS2 technical measure)

NIS2 Art. 21(2)(a)

Why this matters

NIS2 requires appropriate transport encryption for in-scope services. Enforcing HSTS shows the requirement is met technically, not just configured optionally.

Background

NIS2 technical measures require transport encryption. HSTS enforces HTTPS for repeat visitors so a network attacker can't downgrade their connection. Identical to security.hsts; this check surfaces it under NIS2 framing.

References

NIS2 Art. 21(2)(a) · RFC 6797 (HSTS)

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
cloudflare
SSL/TLS → Edge Certificates → HSTS → Enable.
wordpress
Configure at server / Cloudflare. No WP-level fix.
flask
Use flask-talisman OR @app.after_request: resp.headers.setdefault('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
express
helmet.hsts({ maxAge: 31536000, includeSubDomains: true })
rails
config.force_ssl = true (adds HSTS automatically)

Verify it's working

curl -sI https://your-site/ | grep -i strict-transport-security

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →