This article is a part of our Web Security Knowledge Base (back to index)

Why Strict-Transport-Security Disabled can be dangerous

HTTP Strict Transport Security is a web security policy mechanism which allows for a web server to declare that user agents (web browsers) can interact with it only using HTTPS connections.

If a website accepts HTTP and does redirects to HTTPS, it is possible for visitors to initially communicate with the non-encrypted version of the website before being redirected. This is an opportunity for an attacker who can perform a man-in-the-middle attack. The attacker is able to use the redirect to direct users to a malicious site instead of the secure version of the initial website.

The HTTP ‘Strict-Transport-Security’ header informs the browser to never load a site using HTTP and to automatically convert all attempts to access the website using HTTP to HTTPS requests instead.

How to fix Strict-Transport-Security Disabled

Ensure that your web server, application server, load balancer, etc. is configured to enforce ‘Strict-Transport-Security’ by setting or adding a HTTP ‘Strict-Transport-Security’ (HSTS) header with an appropriate ‘max-age’ value.

Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains

How does ScanRepeat report Strict-Transport-Security Disabled

ScanRepeat analyzes every HTTP response and reports URLs where the ‘Strict-Transport-Security’ HTTP header was found and had its ‘max-age’ directive set to zero.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free