Strict-Transport-Security header missing or invalid
Description
The Strict-Transport-Security
header was found to be missing or invalid. The Strict-Transport-Security
header allows web site operators to force communications to occur over a TLS connection. By enabling this
header, websites can protect their users from various forms of network eavesdropping or interception attacks.
While most browsers prevent mixed-content (loading resources from HTTP when navigating from an HTTPS site),
this header also ensures that all resource requests are only ever initiated over a secure transport.
Remediation
Only three directives are applicable for the Strict-Transport-Security
header.
max-age
: This required directive specifies how long (in seconds) after receiving the response it should communicate only over a secure transport.includeSubDomains
: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host’s domain.preload
: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser’s preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser’s HSTS preload list. See hstspreload.org for more information.
Note that invalid directives, or the Strict-Transport-Security
header appearing more than once (if the values are
different) is considered invalid.
Prior to adding to this security configuration to your website, it is recommended you review the hstspreload.org Deployment Recommendations.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
16.7 | true | 16 | Passive | Low |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support