HTTP Strict Transport Security (HSTS) Errors and Warnings
Description
HTTP Strict Transport Security (HSTS) is a security mechanism that instructs web browsers to communicate with a website exclusively over HTTPS, preventing protocol downgrade attacks. This finding indicates that while HSTS is implemented on your web application, the configuration does not follow security best practices. Common issues include setting the max-age directive to less than one year or omitting the includeSubDomains directive, which weakens the protection HSTS provides.
Remediation
Configure HSTS with security best practices by setting a max-age of at least one year (31536000 seconds) and including the includeSubDomains directive. Add the Strict-Transport-Security header to all HTTPS responses from your web server.
Example configurations:
Apache (.htaccess or VirtualHost):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
IIS (web.config):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
</customHeaders>
</httpProtocol>
</system.webServer>After implementation, verify the header is present in HTTPS responses and consider submitting your domain to the HSTS preload list at hstspreload.org for maximum protection. Ensure all subdomains support HTTPS before enabling includeSubDomains to avoid accessibility issues.