HTTP Strict Transport Security (HSTS) via HTTP

Complimentary 90-day, on-prem license available for entities involved in Covid19 response.

Summary

HTTP Strict Transport Security header is sent via an HTTP response which must be sent in HTTPS responses instead.

Impact

Web browsers will ignore the HSTS implementation and the users will not be able to take advantage of HSTS. This renders the HSTS implementation useless. Not having HSTS will make MITM attacks easier for attackers.

Classifications

CWE-16, ISO27001-A.14.1.2, WASC-15, OWASP PC-C10, OWASP 2017-A6

Netsparker Security Insights

Why Websites Need HTTP Strict Transport Security (HSTS)
Content-Type and Status Code Leakage
Why Framework Choice Matters in Web Application Security
The Importance of the Content-Type Header in HTTP Requests
Pros and Cons of DNS Over HTTPS

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO