HSTS
HSTS
Category: Security Misconfiguration
Severity: Medium
Description
The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.
The HSTS header uses two directives:
max-age: To indicate the number of seconds that the browser should automatically convert all HTTP requests to HTTPS.
includeSubDomains: To indicate that all web application’s sub-domains must use HTTPS.
Here’s an example of the HSTS header implementation:
Strict-Transport-Security: max-age=60000; includeSubDomains
Impact
The use of this header by web applications must be checked to find if the following security issues could be produced:
• Attackers sniffing the network traffic and accessing the information transferred through an unencrypted channel.
• Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted.
• Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the HTTP protocol.
Remediation
Add Strict-Transport-Security header to server htaccess file.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Last updated