Shopify store fails PCI compliance scan because “remote web server is not enforcing HSTS, as defined by RFC 6797”
I help run a Shopify store. During a recent PCI compliance scan, we failed only 5 tests. Each was related to HSTS, and I’ve included the error message details at the bottom of this post.
Since the initial scan, I have turned on HSTS in Cloudflare with:
Max Age: 6-months
Apply to Subdomains: On
No-Sniff Header: Off
I can also confirm we are using SSL set to “Flexible”. Despite this, repeated scans continue to show the same error.
What steps can you recommend I take next? I appreciate any feedback or guidance.
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is
an optional response header that can be configured on the server to instruct the
browser to only communicate via HTTPS. The lack of HSTS allows downgrade
attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking