This article is a part of our Web Security Knowledge Base (back to index)

Why Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) can be dangerous

HTTP Strict Transport Security is a web security policy mechanism which allows for a web server to declare that user agents (web browsers) can interact with it only using HTTPS connections.

Not only is the HTTP response with multiple headers not compliant with the specification, but also results in only the first HTTP ‘Strict-Transport-Security’ (HSTS) header being processed and others ignored by user agents or the policy being incorrectly applied.

How to fix Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Ensure that your web server, application server, load balancer, etc. is configured to enforce ‘Strict-Transport-Security’ by setting or adding a HTTP ‘Strict-Transport-Security’ (HSTS) header.

Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains

How does ScanRepeat report Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

ScanRepeat gets the ‘Strict-Transport-Security’ header of every HTTP response. ScanRepeat reports an alert if the header there’s more than one ‘Strict-Transport-Security’ header found in the response.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free