Strict-Transport-Security (HSTS) not enforced

Strict-Transport-Security (HSTS) not enforced

Risk: hardening

Description

The HTTP Strict-Transport-Security response header ( abbreviated HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

To exploit this vulnerability, an attacker must intercept and modify the network traffic from the target.

This requires the client to communicate with the server over an insecure a connection such as public Wi-Fi.

Recommendation

The server must add the header Strict-Transport-Security to all HTTP responses to instruct the browser to use transport security.

HSTS is only true on first use, a user who has never accessed the application is still vulnerable to SSL stripping attacks.

Links