Detections
Analytics

4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled

Information

HTTP Strict Transport Security (HSTS) is a critical security header that instructs browsers to communicate with a domain exclusively over HTTPS. A comprehensive HSTS policy must include the includeSubDomains directive to apply the policy to all current and future subdomains. For maximum protection, the policy should also contain the preload directive, allowing the domain to be submitted to browser-pre-load lists. This ensures that even the very first connection to the domain is made securely. The max-age should be set to a long duration, typically two years ( 63072000 seconds), to ensure browsers enforce this policy persistently.

HSTS is the primary mechanism to mitigate protocol downgrade attacks and cookie hijacking. By enforcing HTTPS, it prevents attackers from intercepting requests and manipulating them. The includeSubDomains directive is vital as it closes a significant gap where an attacker could otherwise target a non-secure subdomain. The preload directive provides protection by removing the initial window of opportunity for an attack on a user's first visit, as the browser already knows to use HTTPS before making any connection.

Solution

It is critical to deploy HSTS incrementally to avoid locking users out.

Step 1: Initial Rollout (Low max-age )

Add the HSTS header with a very short max-age to test for any issues. Verify that all parts of your site, including all subdomains, function correctly over HTTPS.

# Test with 5 minutes
add_header Strict-Transport-Security \"max-age=300; includeSubDomains\" always;

Step 2: Increase max-age

Once confident, gradually increase the max-age.

# Increase to 1 week
add_header Strict-Transport-Security \"max-age=604800; includeSubDomains\" always;

Step 3: Full Deployment (Long max-age and Preload)

After thorough testing (e.g., one month), set the max-age to the recommended final value of two years. Add the preload directive if you intend to submit your site to the HSTS preload list.

# Final configuration (2 years)
add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;

If preloading is desired, submit your domain at hstspreload.org https://hstspreload.org.

Impact:

Once an HSTS policy with a long max-age is set, there is effectively \"no going back.\" If any part of your site or any subdomain cannot be served over HTTPS, users with a cached HSTS policy will be unable to access it. Enabling includeSubDomains requires a commitment that all subdomains of the domain will support HTTPS. Submitting a domain to the HSTS preload list is a long-term commitment and removal is a slow, manual process. Careful planning and testing with short max-age values are essential before full deployment.

See Also

https://workbench.cisecurity.org/benchmarks/18528

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 07d05be2e92b3ff041c26d2f465c09ffd1de3f7769e9031f6d855422895abcd1