⇤ Web Application Header Assessment
Required for both HTTP/1.1 and HTTP/1.0
HTTP Strict-Transport-Security (HSTS) enforces the use of HTTP over TLS/SSL. Properly using this header can help prevent man-in-the-middle attacks (MITM). This header is defined in RFC-6797.
Requirements
- The
max-age
parameter is required. - The
includeSubDomains
andpreload
parameters are optional. If present, we check to see if they are legitimate and that there are no associated values (i.e., syntax parsing). - An HSTS header on an HTTP response is ignored.
See finding messages.
- September 12, 2023: Separated finding messages.
- August 31, 2020: Added requirements.
Feedback
0 comments
Please sign in to leave a comment.