HTTP Strict Transport Security (HSTS) not implemented

Description

During the scan, Kayran managed to find that HTTP Strict Transport Security (HSTS) header is not being implemented. The Strict-Transport-Security response header is an opt-in security enhancement that is specified by a web application through the use of a special response headers.
HSTS prevents browsers from sending insecure HTTP communication to specific domains. It forces the browsers to only send communication over HTTPS.

An attacker could exploit this vulnerability to perform man-in-the-middle attacks (MITM).
This vulnerability could lead to a loss of confidentiality and more.

Recommendation

It is recommended to configure the web server so that it will always send the following HTTP headers in all server responses.
Strict-Transport-Security: max-age=31536000

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

< Return to all Vulnerabilities

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

Man-In-The-Middle Attacks

Do you know these people who just push themselves into conversations?That’s Man-In-The-Middle Attacks. And from a wider angle, Man-In-The-Middle Attacks, or MITM, are built around

Read More »