Skip to main content

Insecure or unset HTTP headers - Strict Transport Security

Description

The server is missing the Strict-Transport-Security HTTP header. Alternatively, the headers max-age is too short.

Impact

Compromise confidential information sent through insecure channels.

Recommendation

Set the Strict-Transport-Security header with a max-age 63072000 and the includeSubDomains directive on all server responses.

Threat

Unauthorized attacker from adjacent network performing a sniffing attack.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 3.5
    • Temporal: 3.2
  • Severity:
    • Base: Low
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0 . It may change depending on the context of the src.

Base 4.0

  • Attack vector: A
  • Attack complexity: L
  • Attack Requirements: N
  • Privileges required: N
  • User interaction: A
  • Confidentiality (VC): L
  • Integrity (VI): N
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit madurity: P

Result 4.0

  • Vector string: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
  • Score:
    • CVSS-BT: 1.9
  • Severity:
    • CVSS-BT: Low

Details

The HTTP Strict-Transport-Security response header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Exploitation scenario

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, preventing hackers from performing this sort of man-in-the-middle attack.

Words of caution

It's important to note that in order for the Strict Transport Security response header to work your users must have accessed your website through HTTPS at least once.

Configuring this header in all responses (including error pages) increases the effectiveness of the Strict Transport Security by increasing the probability that your users had visited the website through HTTPS at least once. Once this condition is met, the browser will remember (during max-age seconds) that your site must only be accessed through HTTPS.

Using a large value for max-age also increases the effectiveness of the header.

Secure implementation

Set Strict-Transport-Security: max-age=31536000 HTTP header in all responses from your site, including error pages, HTTP and HTTPS.

Requirements

Fixes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.