Skip to main content

Website Does Not Implement HSTS Best Practices

dave herder
  • Updated

    How does this issue affect my security?

    HTTP Strict Transport Security (HSTS) is an HTTP header that instructs clients, such as web browsers, to only access a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS.

    After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade the connection to unencrypted HTTP.

    The browser will expire the HSTS header after the number of seconds configured in the max-age attribute.

    How is this issue discovered?

    You can determine whether or not an HSTS header is present by checking the domain against https://gf.dev/hsts-test. Alternatively, you can validate with the Google Chrome developer tools when examining the header "Strict-Transport-Security". 

    You may want to perform additional preloading efforts against the domain, validating with https://hstspreload.org/. At this time, this issue type will raise measurements under the following scenarios:

    Measurement trigger

    Max-age is shorter than best practices. (shorter than 31536000, or 1 year)

    Max-age does not parse correctly.

    Header is missing max-age directive.

    Header is missing includeSubDomains directive.

    Multiple headers were found.

    Multiple max-age values were found

    Subdomains value were included multiple times.

    Max-age is not a valid number.

    No HSTS header was found.

     

    How can I remediate this issue?

    Add the appropriate directives for your HSTS header. Please review OWASP's Cheat Sheet for HTTP Strict Transport Security.

     

    How can I resolve this issue?

    Follow the resolution process, and select the applicable resolution:

    • By selecting the finding and clicking on "Fixed" button
      • You have made the required changes to your asset and they are publicly available for validation.
    • This is not my IP or domain
      • If this is the case, then please submit a Domain Removal request through the Digital Footprint section of the Scorecard. Please see: Manage Digital Footprint
    • I cannot reproduce this issue and I think it’s incorrect
      • The asset is owned by your organization, but you have evidence that shows the measurement is incorrect.
    • Compensating Control
      • If HSTS pre-load has been setup against the Apex Domain along with max-age directive set with 31536000 seconds (1 year) and includeSubDomains directive then we can accept the findings for removal. Please submit a resolution request by selecting the finding --> "Other resolutions" --> "I have a Compensating Control" --> Provide the details --> Submit. The HSTS Header for the Apex domain should look like below:

              Strict-Transport-Security:max-age=31536000; includeSubDomains; preload

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.