nis2
How to fix: Strict-Transport-Security (NIS2 technical measure)
NIS2 Art. 21(2)(a)
Why this matters
NIS2 requires appropriate transport encryption for in-scope services. Enforcing HSTS shows the requirement is met technically, not just configured optionally.
Background
NIS2 technical measures require transport encryption. HSTS enforces HTTPS for repeat visitors so a network attacker can't downgrade their connection. Identical to security.hsts; this check surfaces it under NIS2 framing.
References
NIS2 Art. 21(2)(a) · RFC 6797 (HSTS)
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
cloudflare
SSL/TLS → Edge Certificates → HSTS → Enable.
wordpress
Configure at server / Cloudflare. No WP-level fix.
flask
Use flask-talisman OR @app.after_request: resp.headers.setdefault('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
express
helmet.hsts({ maxAge: 31536000, includeSubDomains: true })
rails
config.force_ssl = true (adds HSTS automatically)
Verify it's working
curl -sI https://your-site/ | grep -i strict-transport-security
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →