In this article:
How does this issue affect my security?
HTTP Strict Transport Security (HSTS) is an HTTP header that instructs clients, such as web browsers, to only access a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS.
After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade the connection to unencrypted HTTP.
The browser will expire the HSTS header after the number of seconds configured in the max-age attribute.
How is this issue discovered?
You can determine whether or not an HSTS header is present by checking the domain against https://gf.dev/hsts-test. Alternatively, you can validate with the Google Chrome developer tools when examining the header "Strict-Transport-Security".
You may want to perform additional preloading efforts against the domain, validating with https://hstspreload.org/. At this time, this issue type will raise measurements under the following scenarios:
Measurement trigger |
---|
Max-age is shorter than best practices. (shorter than 31536000, or 1 year) |
Max-age does not parse correctly. |
Header is missing max-age directive. |
Header is missing includeSubDomains directive. |
Multiple headers were found. |
Multiple max-age values were found |
Subdomains value were included multiple times. |
Max-age is not a valid number. |
No HSTS header was found. |
How can I remediate this issue?
Add the appropriate directives for your HSTS header. Please review OWASP's Cheat Sheet for HTTP Strict Transport Security.
How can I resolve this issue?
Follow the resolution process, and select the applicable resolution:
-
By selecting the finding and clicking on "Fixed" button
- You have made the required changes to your asset and they are publicly available for validation.
-
This is not my IP or domain
- If this is the case, then please submit a Domain Removal request through the Digital Footprint section of the Scorecard. Please see: Manage Digital Footprint
-
I cannot reproduce this issue and I think it’s incorrect
- The asset is owned by your organization, but you have evidence that shows the measurement is incorrect.
-
Compensating Control
- If HSTS pre-load has been setup against the Apex Domain along with max-age directive set with 31536000 seconds (1 year) and includeSubDomains directive then we can accept the findings for removal. Please submit a resolution request by selecting the finding --> "Other resolutions" --> "I have a Compensating Control" --> Provide the details --> Submit. The HSTS Header for the Apex domain should look like below:
Strict-Transport-Security:
max-age=31536000; includeSubDomains; preload
Comments
0 comments
Please sign in to leave a comment.