Strict Transport Security Header Missing


Missing Strict-Transport-Security header.


What is Strict-Transport-Security header?
Supposedly that a site opens a connection through HTTP and redirects to HTTPS, attackers may at first attempt to load the site in HTTP before being diverted, if, for instance, the attacker accesses even just This creates a chance for a man-in-the-center assault. The redirect could be misused to guide guests to a malicious site rather than the protected version of the first site.
The HTTP Strict Transport Security header tell the browser that it ought to never access a site with HTTP and ought to default change over all redirects to get to the site utilizing HTTP to HTTPS request. The HTTP Strict-Transport-Security response header lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is response header.

The main syntax of this header are as below:
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
If a banking web application uses Strict-Transport-Security header it will automatically redirect to HTTPS and encrypt the communication channel preventing man-in-the-middle attacks from stealing critical or modifying data over the wire.

If it be necessary to disable Strict Transport Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.


Always set the header for all URI and pages within web application. If returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead. Best practice is as below:

Strict-Transport-Security: max-age=31536000; includeSubDomains
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"