HSTS

Category: Security Misconfiguration

Severity: Medium

Description

The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.

The HSTS header uses two directives:

max-age: To indicate the number of seconds that the browser should automatically convert all HTTP requests to HTTPS.

includeSubDomains: To indicate that all web application’s sub-domains must use HTTPS.

Here’s an example of the HSTS header implementation:

Strict-Transport-Security: max-age=60000; includeSubDomains

Impact

The use of this header by web applications must be checked to find if the following security issues could be produced:

• Attackers sniffing the network traffic and accessing the information transferred through an unencrypted channel.

• Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted.

• Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the HTTP protocol.

Remediation

Add Strict-Transport-Security header to server htaccess file.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security