Strict Transport Security Header Missing

  1. Home
  2. VULNERABILITIES

Title:

Missing Strict-Transport-Security header.

Vulnerability:

What is Strict-Transport-Security header?
Supposedly that a site opens a connection through HTTP and redirects to HTTPS, attackers may at first attempt to load the site in HTTP before being diverted, if, for instance, the attacker accesses http://www.example.com/or even just example.com. This creates a chance for a man-in-the-center assault. The redirect could be misused to guide guests to a malicious site rather than the protected version of the first site.
The HTTP Strict Transport Security header tell the browser that it ought to never access a site with HTTP and ought to default change over all redirects to get to the site utilizing HTTP to HTTPS request. The HTTP Strict-Transport-Security response header lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is response header.

The main syntax of this header are as below:
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Ex:
If a banking web application uses Strict-Transport-Security header it will automatically redirect to HTTPS and encrypt the communication channel preventing man-in-the-middle attacks from stealing critical or modifying data over the wire.

If it be necessary to disable Strict Transport Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.

Solution:

Always set the header for all URI and pages within web application. If returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead. Best practice is as below:

Strict-Transport-Security: max-age=31536000; includeSubDomains
NginX:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
IIS:

Content Sniffing Header Vulnerability, Admin Interface Externally Open

Content Sniffing Not Disabled

OWASP Top 10 Security Testing, Content Sniffing Not Disabled

Session Cookie Found Without Secure Flag Set.

Session Cookie Found Without Secure Flag Set, Web App Security Testing Services Company

How To Enable Content Sniffing?

How To Enable Content Sniffing?, Content Sniffing Header Vulnerability

Clickjacking: X-Frame-Options Header Missing

OWASP Top 10 Security Testing , Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Web App Security Testing Services Company, Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Error Page Discloses Web Server Version, Content Sniffing Header Vulnerability

How To Disable Web Dav Extensions?

Error Page Discloses Web Server Version, OWASP Top 10 Security Testing

How To Configure Access-Control-Allow-Origin Header?

Web App Security Testing Services Company, How To Disable Web Dav Extensions?

How To Disable Custom Errors At Webroot?