🔗 Companies without HSTS enabled

Name: Companies without HSTS enabled
Creator: LynxRadar
Keywords: companies without HSTS, no strict transport security, HTTPS enforcement gaps, HSTS adoption, does company use HSTS

These domains don't enforce HTTPS via HSTS, making users vulnerable to downgrade attacks and SSL stripping.

931

Companies affected

2378

Total scanned

39%

Prevalence

Domain

Score

Tier

HSTS Status

post.fm

42/100

Fail

Not set

primelightworks.com

42/100

Fail

Not set

tensil.ai

42/100

Fail

Not set

wundrbar.com

42/100

Fail

Not set

goubiq.com

45/100

Fail

Not set

+926 more companies

This dataset is available on request. Leave your work email and we'll send you the full list within 24 hours.

No spam — we only use this to send you the data

Request received

We'll send the full dataset to your inbox shortly. Keep an eye out for an email from the LynxRadar team.

Which companies don't enforce HTTPS with HSTS?

HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS when connecting to a domain, preventing downgrade attacks and SSL stripping where an attacker intercepts an initial HTTP connection. Without HSTS, even sites with valid SSL certificates can have their connections intercepted on insecure networks. The domains below were found by LynxRadar to have no HSTS header or an insufficiently configured one.

LynxRadar scanned 2378 domains including Fortune 500 companies and Y Combinator startups. Of those, 931 (39%) were found to have this security gap. The data above is updated continuously as new domains are scanned. Scan any domain to check its status.

Frequently Asked Questions

What is a good HSTS max-age value?

The recommended HSTS max-age is at least 31536000 seconds (1 year). Many security standards require this minimum. Setting includeSubDomains and preload further strengthens protection.

How many companies don't use HSTS?

In LynxRadar's scan of 2378 domains, 931 (39%) were found without proper HSTS configuration.