Strict-Transport-Security header missing or invalid
Description
The Strict-Transport-Security
header was found to be missing or invalid. The Strict-Transport-Security
header allows web site operators to force communications to occur over a TLS connection. By enabling this
header, websites can protect their users from various forms of network eavesdropping or interception attacks.
While most browsers prevent mixed-content (loading resources from HTTP when navigating from an HTTPS site),
this header also ensures that all resource requests are only ever initiated over a secure transport.
Remediation
Only three directives are applicable for the Strict-Transport-Security
header.
-
max-age
: This required directive specifies how long (in seconds) after receiving the response it should communicate only over a secure transport. -
includeSubDomains
: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host’s domain. -
preload
: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser’s preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser’s HSTS preload list. See hstspreload.org for more information.
Note that invalid directives, or the Strict-Transport-Security
header appearing more than once (if the values are
different) is considered invalid.
Prior to adding to this security configuration to your website, it is recommended you review the hstspreload.org Deployment Recommendations.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
16.7 | true | 16 | Passive | Low |