diff --git a/documentation/modules/auxiliary/scanner/http/http_hsts.md b/documentation/modules/auxiliary/scanner/http/http_hsts.md
new file mode 100644
index 0000000000..0bd0883df1
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/http_hsts.md
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+### Description
+
+This module checks to see whether or not the scanned systems return the HSTS header to enforce HSTS.
+
+### Install on Ubuntu 18.04 LTS
+
+    sudo apt-get install apache2
+    sudo service apache2 start
+    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
+    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+
+Once this is done place the following content into `/etc/apache2/conf-available/ssl-params.conf`:
+
+    # from https://cipherli.st/
+    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
+    
+    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+    SSLProtocol All -SSLv2 -SSLv3
+    SSLHonorCipherOrder On
+    # Disable preloading HSTS for now.  You can use the commented out header line that includes
+    # the "preload" directive if you understand the implications.
+    #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
+    Header always set X-Frame-Options DENY
+    Header always set X-Content-Type-Options nosniff
+    # Requires Apache >= 2.4
+    SSLCompression off
+    SSLSessionTickets Off
+    SSLUseStapling on
+    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+
+    SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
+
+Then execute the following:
+
+    sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
+
+Place the following in `/etc/apache2/sites-available/default-ssl.conf`:
+
+```
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@localhost
+
+        DocumentRoot /var/www/html
+    
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        SSLEngine on
+        SSLCertificateFile	/etc/ssl/certs/apache-selfsigned.crt
+        SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
+    
+        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+            SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+            SSLOptions +StdEnvVars
+        </Directory>
+    
+        BrowserMatch "MSIE [2-6]" \
+            nokeepalive ssl-unclean-shutdown \
+            downgrade-1.0 force-response-1.0
+    </VirtualHost>
+</IfModule>
+```
+
+Place the following in `/etc/apache2/sites-available/000-default.conf`:
+
+    <VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+    
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+    
+    </VirtualHost>
+
+Finally, execute the following commands:
+
+    sudo service apache2 stop
+    sudo a2enmod ssl
+    sudo a2enmod headers
+    sudo a2ensite default-ssl
+    sudo a2enconf ssl-params
+    sudo apache2ctl configtest
+    sudo service apache2 restart
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/http_hsts```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Options
+
+## Scenarios
+
+### Apache 2.4.29 on Ubuntu 18.04 LTS
+
+Install using following instructions for Ubuntu listed above.
+
+```
+msf5 > use auxiliary/scanner/http/http_hsts
+msf5 auxiliary(scanner/http/http_hsts) > set RHOSTS 192.168.90.91
+RHOSTS => 192.168.90.91
+msf5 auxiliary(scanner/http/http_hsts) > run
+
+[+] 192.168.90.91:443 - Strict-Transport-Security:max-age=63072000; includeSubdomains
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/http_hsts) >
+
+```
+
+### Confirming using Nmap
+
+```
+tekwizz123@DESKTOP-VF1AJQB:~$ nmap 192.168.90.91 -p 443 --script http-security-headers
+
+Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-31 00:30 CDT
+Nmap scan report for 192.168.90.91
+Host is up (0.0034s latency).
+
+PORT    STATE SERVICE
+443/tcp open  https
+| http-security-headers:
+|   Strict_Transport_Security:
+|     Header: Strict-Transport-Security: max-age=63072000; includeSubdomains
+|   X_Frame_Options:
+|     Header: X-Frame-Options: DENY
+|     Description: The browser must not display this content in any frame.
+|   X_Content_Type_Options:
+|     Header: X-Content-Type-Options: nosniff
+|_    Description: Will prevent the browser from MIME-sniffing a response away from the declared content-type.
+
+Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds
+```