⇤ Web Application Header Assessment
Optional for HTTP 1.0 and HTTP 1.1
Required for HTTP 1.0 (HTTPS) and HTTP 1.1 (HTTPS)
HTTP Strict-Transport-Security (HSTS) enforces the use of HTTP over TLS/SSL. Properly using this header can help prevent man-in-the-middle attacks (MITM). This header is defined in RFC-6797.
Requirements
- The
max-age
parameter is required. - The
includeSubDomains
andpreload
parameters are optional. If present, we check to see if they are legitimate and that there are no associated values (i.e., syntax parsing). - An HSTS header on an HTTP response is ignored.
See finding messages.
- March 26, 2025: Optional for HTTP 1.0 and HTTP 1.1.
- September 12, 2023: Separated finding messages.
- August 31, 2020: Added requirements.
Feedback
0 comments
Please sign in to leave a comment.