HTTP Strict Transport Security (HSTS) via HTTP

Summary #

HTTP Strict Transport Security header is sent via an HTTP response which must be sent in HTTPS responses instead.

Impact #

Web browsers will ignore the HSTS implementation and the users will not be able to take advantage of HSTS. This renders the HSTS implementation useless. Not having HSTS will make MITM attacks easier for attackers.

Classifications #

CWE-16, ISO27001-A.14.1.2, WASC-15, OWASP PC-C10, OWASP 2017-A6

Netsparker Security Insights #

How the POODLE Attack Spelled the End of SSL 3.0
5 Easy Wins for Web Application Security
HTTP Security Headers: An Easy Way to Harden Your Web Applications
Why Websites Need HTTP Strict Transport Security (HSTS)
Content-Type and Status Code Leakage