Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Proper HTTP Strict-Transport-Security (HSTS) Implementation

Ingrid

⇤ Web Application Header Assessment

Optional for HTTP 1.0 and HTTP 1.1
Required for HTTP 1.0 (HTTPS) and HTTP 1.1 (HTTPS)

HTTP Strict-Transport-Security (HSTS) enforces the use of HTTP over TLS/SSL. Properly using this header can help prevent man-in-the-middle attacks (MITM). This header is defined in RFC-6797.

Requirements

  • The max-age parameter is required.
  • The includeSubDomains and preload parameters are optional. If present, we check to see if they are legitimate and that there are no associated values (i.e., syntax parsing).
  • An HSTS header on an HTTP response is ignored.

See finding messages.

  • March 26, 2025: Optional for HTTP 1.0 and HTTP 1.1.
  • September 12, 2023: Separated finding messages.
  • August 31, 2020: Added requirements.

Related articles

Feedback

0 comments

Please sign in to leave a comment.