
Sept. 17, 2025
10:32 a.m.
HSTS can only be applied on the HTTPS (port 443) VirtualHost, not on port 80. Since your Apache config only has a port 80 vhost, you’ll need to either locate or create a <VirtualHost *:443> block. Inside that, add: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Then enable SSL modules (a2enmod ssl headers), reload Apache, and the scan should detect HSTS correctly. If nothing exists for 443, it’s safe to create a new VirtualHost for your mailman site. I found the one helpful guide at:- https://cheapsslweb.com/resources/how-to-fix-the-hsts-missing-from-https-ser.... Hope it helps!