This article is a part of our Web Security Knowledge Base (back to index)

Why “Strict-Transport-Security Header Not Set” can be dangerous

The missing Strict-Transport-Security header results in communication over HTTP being allowed to the specified domain. That makes the website vulnerable to man-in-the-middle attacks, presenting a fake login page being one of the options. Correct configuration of the Strict-Transport-Security header ensures that only HTTPS requests are considered valid and considerably reduces the risk of accessing suspicious pages.

How to fix“Strict-Transport-Security Header Not Set”

Your server should be configured to include the header, e.g.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

max-age is the time in seconds indicating how long the browser should remember that a site is accessible via HTTPS only. The time is refreshed (set again to max-age) after each request to the domain. In the example the time is equal to one year.

includeSubDomains indicates that HTTPS restriction is valid for subdomains too (optional, but recommended).

preload is optional (and not the part of the official specification) and allows you to add your website to a preload list maintained by Google. This means that your domain will be hardcoded in the list and browsers will never try to connect using an insecure connection. Note that it will have permanent consequences and switching back to HTTP may be troublesome.

How does ScanRepeat report “Strict-Transport-Security Header Not Set”

ScanRepeat reports “Strict-Transport-Security Header Not Set” listing all instances of URL resources returned without the header along with additional information on what should be set to fix this problem.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free