HTTP Strict Transport Security (HSTS) not implemented

Description

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.
HSTS prevents browsers from sending insecure HTTP communication to the specified domains and forces the browsers to only send communication over HTTPS.

Bussines Impact

An attacker could exploit this vulnerability when performing man-in-the-middle attacks. This vulnerability could lead to a loss of confidentiality and more.

Recommendation

It is recommended to configure the webserver to always send the following HTTP header in all server responses.
Strict-Transport-Security: max-age=31536000

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »