Missing HTTPS redirects and HSTS headers
Getting an HTTPS certificate is now a default on hosts like Vercel and Netlify. Forcing every visitor onto HTTPS, and telling browsers to refuse the plain HTTP version on future visits, is a separate step that often gets skipped.
#What goes wrong
Without an application-level HTTPS redirect, a user who types your URL without the https:// prefix sends their first request in plain text. Without HSTS, the browser keeps trying HTTP first on every visit, leaving room for a one-shot interception on a hostile network.
#Why it matters
On a public Wi-Fi network, an attacker can read or modify any HTTP traffic before the redirect takes effect. Passwords, session cookies, and CSRF tokens can be lifted in that single unencrypted request. HSTS closes the gap by making the browser remember to never speak HTTP to your domain again.
#How Heimdall checks for this
Heimdall reads your middleware, Next.js config, and vercel.json looking for either an x-forwarded-proto redirect or a force-ssl rule, plus a Strict-Transport-Security header. If either piece is missing, it is reported separately with the file that should hold the fix.
#How to fix it
Add an HTTPS redirect in middleware.ts that returns a 301 to the https:// version when the protocol header is http. Add a Strict-Transport-Security header in next.config.ts headers() with a max-age of at least 31536000 (one year), include subdomains, and ideally request preload eligibility from hstspreload.org.
Frequently asked questions
Doesn't Vercel handle this automatically?
What max-age should I use for HSTS?
What if I need to support a legacy HTTP-only client?
Run this check on your own repo
Heimdall scans your GitHub repo for this and 16 other issues in under a minute.