Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Proper HTTP Strict-Transport-Security (HSTS) Implementation

Avatar
Ingrid
Follow
  • September 12, 2023: Separated finding messages.
  • August 31, 2020: Added requirements.

⇤ Web Application Header Assessment

Required for both HTTP/1.1 and HTTP/1.0

HTTP Strict-Transport-Security (HSTS) enforces the use of HTTP over TLS/SSL. Properly using this header can help prevent man-in-the-middle attacks (MITM). This header is defined in RFC-6797.

Requirements

  • The max-age parameter is required.
  • The includeSubDomains and preload parameters are optional. If present, we check to see if they are legitimate and that there are no associated values (i.e., syntax parsing).
  • An HSTS header on an HTTP response is ignored.

See finding messages.

Related articles