HSTS
HSTS
Category: Security Misconfiguration
Severity: Medium
Description
The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.
The HSTS header uses two directives:
max-age: To indicate the number of seconds that the browser should automatically convert all HTTP requests to HTTPS.
includeSubDomains: To indicate that all web applicationโs sub-domains must use HTTPS.
Hereโs an example of the HSTS header implementation:
Strict-Transport-Security: max-age=60000; includeSubDomains
Impact
The use of this header by web applications must be checked to find if the following security issues could be produced:
โข Attackers sniffing the network traffic and accessing the information transferred through an unencrypted channel.
โข Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted.
โข Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the HTTP protocol.
Remediation
Add Strict-Transport-Security header to server htaccess file.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Last updated