HTTP Strict Transport Security (HSTS) Errors and Warnings

Severity: Medium
Summary#

Invicti detected errors during parsing of Strict-Transport-Security header.

Impact#

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 

Remediation#

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

Browser vendors declared:

  • Serve a valid certificate
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
  • Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least 31536000 seconds (1 year)
    • The includeSubDomains directive must be specified
    • The preload directive must be specified
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works