Download Netsparker

HTTP Strict Transport Security (HSTS) Policy Not Enabled Identified on Target Web Application

Netsparker identified that HTTP requests are being redirected to HTTPS however HTTP Strict Transport Security (HSTS) policy is not enabled.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP (HTTPS) connections. The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:
  • Automatically turn any insecure links referencing the web application into secure links. (For instance, will be modified to before accessing the server.)
  • If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the web application.


Configure your webserver to redirect HTTP requests to HTTPS.

For Apache, you should have modification in the httpd.conf.

# load module
LoadModule headers_module modules/
# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>
       ServerAlias *
       RewriteEngine On
       RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
# HTTPS-Host-Configuration
<VirtualHost *:443>
      # Use HTTP Strict Transport Security to force client to use secure connections only
      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
      # Further Configuration goes here

External References

Go back to the Complete list of Vulnerability Checks.