4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled

Information

HTTP Strict Transport Security (HSTS) headers instruct a user agent on how to communicate with a web server. HSTS headers ensure the strict transport security policies built into browsers and other user agents are informed only to communicate over HTTPS. HSTS with long validity periods should be used to most effectively secure your user population.

Strict-Transport-Security should have a long max-age, which is recommended to be at least six months in length. This ensures the browser remembers your website should only be accessible via HTTPS for this amount of time.

Rationale:

HSTS headers help protect a server's users from accessing the server over unencrypted protocols. This header helps to prevent HTTP downgrade attacks.

Solution

Ensure the below snippet of code can be found in your server configuration for your proxy or web server. This will ensure the HSTS header is set with a validity period of six months, or 15768000 seconds.

server {
add_header Strict-Transport-Security 'max-age=15768000;' always;
}

Default Value:

HSTS headers are not set by default.

See Also

https://workbench.cisecurity.org/files/4212