Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Description
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure (HTTPS) connections. The server communicates the HSTS Policy to the user agent via an HTTP response header field named "Strict-Transport-Security". HSTS The policy specifies a period during which the user agent shall access the server in only a secure fashion.
When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:
- Automatically turn any insecure (HTTP) links referencing the web application into secure (HTTPS) links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
- If the connection's security cannot be ensured (e.g., the server's TLS certificate is self-signed), user agents show an error message and do not allow the user to access the web application.
Recommendation
Configure your webserver to redirect HTTP requests to HTTPS.
i.e. for Apache, you should have modification in the httpd.conf. For more configurations, please refer to External References section.
# load module
LoadModule headers_module modules/mod_headers.so
# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
# HTTPS-Host-Configuration
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Further Configuration goes here
[...]
</VirtualHost>
Links
Standards
- OWASP_ASVS_L1:
- V14_4_5
- OWASP_ASVS_L2:
- V14_4_5
- OWASP_ASVS_L3:
- V14_4_5
- PCI_STANDARDS:
- REQ_2_2
- REQ_3_6
- REQ_3_7
- REQ_4_2
- REQ_6_2
- REQ_6_3
- REQ_6_4
- REQ_11_3