Shopify store fails PCI compliance scan

Hi everyone,

Shopify store fails PCI compliance scan because “remote web server is not enforcing HSTS, as defined by RFC 6797”

I help run a Shopify store. During a recent PCI compliance scan, we failed only 5 tests. Each was related to HSTS, and I’ve included the error message details at the bottom of this post.

Since the initial scan, I have turned on HSTS in Cloudflare with:

Max Age: 6-months
Apply to Subdomains: On
Preload: Off
No-Sniff Header: Off

I can also confirm we are using SSL set to “Flexible”. Despite this, repeated scans continue to show the same error.

What steps can you recommend I take next? I appreciate any feedback or guidance.


The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is
an optional response header that can be configured on the server to instruct the
browser to only communicate via HTTPS. The lack of HSTS allows downgrade
attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking

Tell the tester the site is behind Cloudflare and ask them to mark them as N/A or demonstrate your origin server actually responding. Beyond that speak to your hosting provider


Yeah at this point no one should trust you until you fix that. Fail = True


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.