Missing Strict-Transport-Security header.
What is Strict-Transport-Security header?
Supposedly that a site opens a connection through HTTP and redirects to HTTPS, attackers may at first attempt to load the site in HTTP before being diverted, if, for instance, the attacker accesses http://www.example.com/or even just example.com. This creates a chance for a man-in-the-center assault. The redirect could be misused to guide guests to a malicious site rather than the protected version of the first site.
The HTTP Strict Transport Security header tell the browser that it ought to never access a site with HTTP and ought to default change over all redirects to get to the site utilizing HTTP to HTTPS request. The HTTP Strict-Transport-Security response header lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is response header.
The main syntax of this header are as below:
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
If a banking web application uses Strict-Transport-Security header it will automatically redirect to HTTPS and encrypt the communication channel preventing man-in-the-middle attacks from stealing critical or modifying data over the wire.
If it be necessary to disable Strict Transport Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.
Always set the header for all URI and pages within web application. If returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead. Best practice is as below:
Strict-Transport-Security: max-age=31536000; includeSubDomains
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"