Proper HTTP Strict-Transport-Security (HSTS) Implementation

Ingrid

This documentation pertains to the Web Application Headers (WAH) risk vector, which was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.

HTTP Strict-Transport-Security (HSTS) enforces the use of HTTP over TLS/SSL. Properly using HSTS can help prevent man-in-the-middle attacks (MITM).

Optional for: HTTP 1.0 and HTTP 1.1

Required for: HTTP 1.0 (HTTPS) and HTTP 1.1 (HTTPS)

The HSTS header is defined in RFC-6797.

Configuration

The max-age parameter is required.
The includeSubDomains and preload parameters are optional. If present, we check to see if they are legitimate and that there are no associated values (i.e., syntax parsing).
An HSTS header on an HTTP response is ignored.

See how Web Application Headers is assessed and finding messages.

December 9, 2025: WAH was replaced by WAS.
March 26, 2025: Optional for HTTP 1.0 and HTTP 1.1.
September 12, 2023: Separated finding messages.
August 31, 2020: Added requirements.

Feedback

0 comments

Please sign in to leave a comment.