Description
The absence of the HTTP Strict-Transport-Security (HSTS) response header leaves a website vulnerable to protocol downgrade attacks and session hijacking. Without this header, attackers can potentially intercept and manipulate unencrypted HTTP traffic, compromising the confidentiality and integrity of sensitive data exchanged between the client and server.
Recommendation
To enhance security, configure your server to send the Strict-Transport-Security header for all pages with a suitable max-age directive, instructing browsers to enforce HTTPS connections. Additionally, consider including the includeSubDomains directive to extend HSTS protection to all subdomains of your site.
References
- Mozilla: Web Security
- Mozilla: Strict-Transport-Security
- OWASP: HTTP Strict Transport Security (HSTS)
- CWE-16
- OWASP 2021-A5