CWE-16
ISO27001-A.14.1.2
WASC-15
OWASP 2013-A5
OWASP 2017-A6

HTTP Strict Transport Security (HSTS) Errors and Warnings

Severity:
Medium
Summary

Invicti detected errors during parsing of Strict-Transport-Security header.

Impact

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website.

Remediation

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

Browser vendors declared:

  • Serve a valid certificate
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
  • Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least 31536000 seconds (1 year)
    • The includeSubDomains directive must be specified
    • The preload directive must be specified
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.