Fix guide · medium · auth_page_missing_hsts

Auth page missing Strict-Transport-Security

Why it matters

HSTS tells browsers to refuse plain HTTP to your domain for the configured max-age. Without it, the first visit can be downgraded by SSL strip attacks before the user reaches HTTPS.

How to fix it

Add HSTS to every HTTPS response:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

For Cloudflare Pages, add to public/_headers:

/*
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Once stable, submit your domain to the HSTS Preload list so it's hardcoded into browsers.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.