Summary

Netsparker detected errors during parsing of Strict-Transport-Security header.

Impact

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 

Remediation

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

Browser vendors declared:

  • Serve a valid certificate
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
  • Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least 31536000 seconds (1 year)
    • The includeSubDomains directive must be specified
    • The preload directive must be specified
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
Classifications
OWASP 2013-A5, OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Tags

HSTS  HTTP 
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO