Description
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.
HSTS prevents browsers from sending insecure HTTP communication to the specified domains and forces the browsers to only send communication over HTTPS.
Bussines Impact
An attacker could exploit this vulnerability when performing man-in-the-middle attacks. This vulnerability could lead to a loss of confidentiality and more.
Recommendation
It is recommended to configure the webserver to always send the following HTTP header in all server responses.
Strict-Transport-Security: max-age=31536000
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security