HSTS

HSTS

Category: Security Misconfiguration

Severity: Medium

Description

The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.

The HSTS header uses two directives:

max-age: To indicate the number of seconds that the browser should automatically convert all HTTP requests to HTTPS.

includeSubDomains: To indicate that all web applicationโ€™s sub-domains must use HTTPS.

Hereโ€™s an example of the HSTS header implementation:

Strict-Transport-Security: max-age=60000; includeSubDomains

Impact

The use of this header by web applications must be checked to find if the following security issues could be produced:

โ€ข Attackers sniffing the network traffic and accessing the information transferred through an unencrypted channel.

โ€ข Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted.

โ€ข Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the HTTP protocol.

Remediation

Add Strict-Transport-Security header to server htaccess file.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Last updated