Determining if a HSTS Preload Directive is Present and its effect on the WAS Risk Vector Erin Conry Scanning to determine if a HSTS Preload Directive is present is part of the Sensitive Data Exposure Security Tests used to evaluate the Web Application Security Risk Vector.HTTP Strict Transport Security (HSTS) is a security policy that forces web browsers to connect to a website only over HTTPS (using TLS/SSL) rather than insecure HTTP, protecting against man-in-the-middle attacks like protocol downgrade and cookie hijacking.Need to fix?Website owners should configure HSTS headers correctly.Does this impact my WAS Risk Vector Grade? Yes.Possible grades: Strict-Transport-Security header set with preload is good. Weight = -0.1Good to know:The HSTS header must include the max-age parameter—it is required.There is no specific number mandated, but max-age must be present and set as a positive integer.A value of at least 86400 (1 day) is recommended to avoid warnings about the value being too small. Otherwise, it will be flagged as a misconfiguration. Related articles Remediating CMS Administration Portal Exposed POST: Download Report Web Application Headers: Required & Optional Headers Filter Sets for Multiple Assets – April 12, 2024 Feedback 0 comments Please sign in to leave a comment.