In this article:
How does this issue affect my security?
HTTP Strict Transport Security (HSTS) is an HTTP header that instructs clients, such as web browsers, to only access a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS.
After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade the connection to unencrypted HTTP.
The browser will expire the HSTS header after the number of seconds configured in the max-age attribute.
How is this issue discovered?
You can determine whether or not an HSTS header is present by checking the domain against https://gf.dev/hsts-test. Alternatively, you can validate with the Google Chrome developer tools when examining the header "Strict-Transport-Security".
You may want to perform additional preloading efforts against the domain, validating with https://hstspreload.org/. At this time, this issue type will raise measurements under the following scenarios:
Measurement trigger |
---|
Max-age is shorter than best practices. (shorter than 31536000, or 1 year) |
Max-age does not parse correctly. |
Header is missing max-age directive. |
Header is missing includeSubDomains directive. |
Multiple headers were found. |
Multiple max-age values were found |
Subdomains value were included multiple times. |
Max-age is not a valid number. |
No HSTS header was found. |
How can I remediate this issue?
Add the appropriate directives for your HSTS header. Please review OWASP's Cheat Sheet for HTTP Strict Transport Security.
How can I resolve this issue?
Follow the resolution process, and select the applicable resolution:
- I have fixed this
- You have made the required changes to your asset and they are publicly available for validation.
- This is not my IP or domain
- At the time of measurement (Date First Observed), this domain or IP address was not owned by your organization.
- I cannot reproduce this issue and I think it’s incorrect
- The asset is owned by your organization, but you have evidence that shows the measurement is incorrect.
Note: If you select the compensating controls remediation option, SecurityScorecard will not accept it. There are no compensating controls for this issue.