Permissive HTTP Strict Transport Security Policy Detected

medium Web App Scanning Plugin ID 98715

Language:

Synopsis

Permissive HTTP Strict Transport Security Policy Detected

Description

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.

The detected HSTS policy doesn't have long max-age value which is a representation (in milliseconds) determining the time in which the client's browser will adhere to the header policy or it doesn't cover subdomains via includeSubDomains directive.

Solution

The max-age must be set at least to 31536000 seconds (1 year) and includeSubDomains directive must be specified.

See Also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

https://hstspreload.org/

https://tools.ietf.org/html/rfc6797

https://www.chromium.org/hsts

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Plugin Details

Severity: Medium

ID: 98715

Type: remote

Family: HTTP Security Header

Published: 10/1/2019

Updated: 4/22/2024

Scan Template: api, basic, config_audit, full, overview, pci, quick, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 319, 523

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A2

WASC: Insufficient Transport Layer Protection

CAPEC: 102, 117, 383, 477, 65

DISA STIG: APSC-DV-000170, APSC-DV-001750

HIPAA: 164.312(a), 164.312(e)

ISO: 27001-A.10.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.5

NIST: sp800_53-IA-5(1), sp800_53-SC-13

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-9.1.1

PCI-DSS: 3.2-6.5.4