Strict-Transport-Security Header is Missing
Impact: Low
Description
The absence of the HTTP Strict-Transport-Security (HSTS) response header leaves a website vulnerable to protocol downgrade attacks and session hijacking. Without this header, attackers can potentially intercept and manipulate unencrypted HTTP traffic, compromising the confidentiality and integrity of sensitive data exchanged between the client and server.
Recommendation
To enhance security, configure your server to send the Strict-Transport-Security header for all pages with a suitable max-age directive, instructing browsers to enforce HTTPS connections. Additionally, consider including the includeSubDomains directive to extend HSTS protection to all subdomains of your site.
References
- CWE-16
- Mozilla: Strict-Transport-Security
- Mozilla: Web Security
- OWASP 2021-A5
- OWASP: HTTP Strict Transport Security (HSTS)
👉 You might also like:
Content-Security-Policy Header is Missing - Vulnerability
Public-Key-Pins Header is Set - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
X-Content-Type-Options Header is Missing - Vulnerability
Last updated on May 13, 2024