A

Trust

CRITICAL

HTTPS enforced sitewide + HSTS (≥ 6-month max-age)

Homepage is served over HTTPS, http:// redirects to https://, and the HSTS max-age is ≥ 6 months. AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.

What this check looks for

Every agent surface refuses to transact (or send users) to a store served over plain HTTP. HSTS adds a downgrade-attack defence and is universally scanned by trust-and-safety teams ahead of agent-surface approval. We require: (1) the homepage URL is HTTPS and responds < 400; (2) an `http://host/` probe resolves through politeFetch (it follows redirects internally; SSRF guard means non-https destinations are implausible on a public storefront); (3) the HTTPS response carries a Strict-Transport-Security header with `max-age` ≥ 15,552,000 seconds (180 days), per the SSL Labs / Mozilla Observatory A-grade threshold.

Which AI surfaces it affects

  • Google AI Mode (UCP)95
  • ChatGPT (ACP)95
  • Perplexity95
  • Microsoft Copilot90
  • Meta AI80

Weighted against the live specs — ACP 2026-04-17, UCP 2026-04-08.

How to fix it

Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months

Shopify

One click
  1. Shopify enforces HTTPS and serves a long-max-age HSTS header by default on every storefront — no merchant action needed.
  2. If this check is failing on a Shopify store, you're likely auditing a custom-domain configuration with HSTS terminated upstream. Re-test against the canonical `*.myshopify.com` to confirm.

Platform docs ↗

BigCommerce

One click
  1. BigCommerce enforces HTTPS for all storefronts and ships a long-max-age HSTS header by default.
  2. If failing, re-check the canonical storefront URL and any subdomain you're auditing.

Platform docs ↗

WooCommerce

Developer
  1. Install / renew an SSL certificate via your hosting provider or Let's Encrypt.
  2. WordPress admin → Settings → General: set Site Address (URL) to use https://.
  3. In your `.htaccess` (Apache) or server block (nginx), redirect HTTP → HTTPS and set the HSTS header.

Platform docs ↗

Custom / headless

Developer
  1. Provision a TLS certificate (Let's Encrypt is free; ACM if you're on AWS).
  2. At the edge / load balancer, 301-redirect every HTTP request to the same path on HTTPS.
  3. Add the Strict-Transport-Security response header on every HTTPS response with `max-age=31536000; includeSubDomains` (preload optional).
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Type: text/html; charset=utf-8

<!-- response body -->

Platform docs ↗

The spec it's pinned to

  • RFC 6797 — HTTP Strict Transport Security (HSTS)

    RFC 6797 defines the `Strict-Transport-Security` response header. SSL Labs / Mozilla Observatory require `max-age` ≥ 6 months (15,552,000 seconds) for an A-grade rating; below that, the policy is too short to provide real downgrade protection.

MDN — Strict-Transport-Security

Does your store pass this check?

Run the full audit — 82 checks across five AI shopping surfaces. Most tools only check whether you get mentioned; we check whether an agent can buy from you.

Related trust checks

← All 82 checks