HawkScan Test Info for Strict-Transport-Security Header Not Set

Strict-Transport-Security Header Not Set

Reference

Plugin Id: 10035 | CWE: 319

Remediation

To fix the “Strict-Transport-Security Header Not Set” vulnerability, you need to configure your web server to include the HTTP Strict Transport Security (HSTS) header in its responses. This header instructs compliant user agents (such as web browsers) to only interact with the server over secure HTTPS connections.

To set the HSTS header, you can add the following configuration to your web server:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

This example sets the HSTS header with a maximum age of one year (31536000 seconds) and includes all subdomains. Adjust the values according to your specific requirements.

About

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that ensures secure communication between a web server and user agents. It is an IETF standards track protocol specified in RFC 6797. When a web server includes the HSTS header in its responses, compliant user agents will automatically convert any insecure HTTP requests to secure HTTPS requests.

By enforcing the use of HTTPS, HSTS helps protect against various attacks, such as man-in-the-middle attacks and protocol downgrade attacks. It also helps prevent users from accidentally accessing the website over insecure connections.

Risks

The “Strict-Transport-Security Header Not Set” vulnerability poses several risks to the security of your web application:

  1. Man-in-the-Middle Attacks: Without HSTS, an attacker can intercept the initial HTTP request and force the user to communicate over an insecure connection. This allows the attacker to eavesdrop on or modify the communication between the user and the server.

  2. Protocol Downgrade Attacks: Attackers can exploit the absence of HSTS to downgrade the secure HTTPS connection to an insecure HTTP connection. This can lead to the exposure of sensitive information, such as login credentials or session cookies.

  3. Session Hijacking: Without HSTS, session cookies transmitted over insecure connections are vulnerable to interception. Attackers can steal these cookies and impersonate the user, gaining unauthorized access to their accounts.

  4. Loss of User Trust: Failing to enforce secure connections can erode user trust in your website. Users may be hesitant to provide sensitive information or engage in transactions if they perceive the site as insecure.

By implementing HSTS and ensuring the Strict-Transport-Security header is set, you can mitigate these risks and enhance the security of your web application.