This article is a part of our Web Security Knowledge Base (back to index)
Why Strict-Transport-Security Disabled can be dangerous
HTTP Strict Transport Security is a web security policy mechanism which allows for a web server to declare that user agents (web browsers) can interact with it only using HTTPS connections.
If a website accepts HTTP and does redirects to HTTPS, it is possible for visitors to initially communicate with the non-encrypted version of the website before being redirected. This is an opportunity for an attacker who can perform a man-in-the-middle attack. The attacker is able to use the redirect to direct users to a malicious site instead of the secure version of the initial website.
The HTTP ‘Strict-Transport-Security’ header informs the browser to never load a site using HTTP and to automatically convert all attempts to access the website using HTTP to HTTPS requests instead.
How to fix Strict-Transport-Security Disabled
Ensure that your web server, application server, load balancer, etc. is configured to enforce ‘Strict-Transport-Security’ by setting or adding a HTTP ‘Strict-Transport-Security’ (HSTS) header with an appropriate ‘max-age’ value.
Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains
How does ScanRepeat report Strict-Transport-Security Disabled
ScanRepeat analyzes every HTTP response and reports URLs where the ‘Strict-Transport-Security’ HTTP header was found and had its ‘max-age’ directive set to zero.
Would you like to test your application now against this problem? Sign up for our free trial
Scan Your Web App Now