Scanning to determine if a HSTS Preload Directive is present is part of the Sensitive Data Exposure Security Tests used to evaluate the Web Application Security Risk Vector.
HTTP Strict Transport Security (HSTS) is a security policy that forces web browsers to connect to a website only over HTTPS (using TLS/SSL) rather than insecure HTTP, protecting against man-in-the-middle attacks like protocol downgrade and cookie hijacking.
Need to fix?
- Website owners should configure HSTS headers correctly.
Does this impact my WAS Risk Vector Grade? Yes.
Possible grades: Strict-Transport-Security header set with preload is good. Weight = -0.1
Good to know:
- The HSTS header must include the max-age parameter—it is required.
- There is no specific number mandated, but max-age must be present and set as a positive integer.
- A value of at least 86400 (1 day) is recommended to avoid warnings about the value being too small. Otherwise, it will be flagged as a misconfiguration.
Feedback
0 comments
Please sign in to leave a comment.