Skip to main content

Website Does Not Implement HSTS Best Practices

dave herder
  • Updated

In this article:

    How does this issue affect my security?

    HTTP Strict Transport Security (HSTS) is an HTTP header that instructs clients, such as web browsers, to only access a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS.

    After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade the connection to unencrypted HTTP.

    The browser will expire the HSTS header after the number of seconds configured in the max-age attribute.

    How is this issue discovered?

    You can determine whether or not an HSTS header is present by checking the domain against https://gf.dev/hsts-test. Alternatively, you can validate with the Google Chrome developer tools when examining the header "Strict-Transport-Security". 

    You may want to perform additional preloading efforts against the domain, validating with https://hstspreload.org/. At this time, this issue type will raise measurements under the following scenarios:

    Measurement trigger

    Max-age is shorter than best practices. (shorter than 31536000, or 1 year)

    Max-age does not parse correctly.

    Header is missing max-age directive.

    Header is missing includeSubDomains directive.

    Multiple headers were found.

    Multiple max-age values were found

    Subdomains value were included multiple times.

    Max-age is not a valid number.

    No HSTS header was found.

     

    How can I remediate this issue?

    Add the appropriate directives for your HSTS header. Please review OWASP's Cheat Sheet for HTTP Strict Transport Security.

     

    How can I resolve this issue?

    Follow the resolution process, and select the applicable resolution:

    • I have fixed this
      • You have made the required changes to your asset and they are publicly available for validation.
    • This is not my IP or domain
      • At the time of measurement (Date First Observed), this domain or IP address was not owned by your organization.
    • I cannot reproduce this issue and I think it’s incorrect
      • The asset is owned by your organization, but you have evidence that shows the measurement is incorrect.

    Note: If you select the compensating controls remediation option, SecurityScorecard will not accept it. There are no compensating controls for this issue.

     

    Related articles