HTTP Strict Transport Security (HSTS) Policy Not Enabled
Description
HTTP Strict Transport Security (HSTS) is a security mechanism that instructs web browsers to only access a website over HTTPS, preventing protocol downgrade attacks. The application does not implement HSTS because the 'Strict-Transport-Security' HTTP response header is missing. Without this header, browsers may allow insecure HTTP connections to the application, even when HTTPS is available.
Remediation
Enable HTTP Strict Transport Security by adding the 'Strict-Transport-Security' header to all HTTPS responses. The header should include a 'max-age' directive specifying how long browsers should enforce HTTPS-only access (recommended: at least 31536000 seconds or one year). Consider including the 'includeSubDomains' directive to protect all subdomains, and the 'preload' directive if you plan to submit your domain to the HSTS preload list.
Example header configurations:
Apache (.htaccess or VirtualHost configuration):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Nginx (server block):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
IIS (web.config):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
</customHeaders>
</httpProtocol>
</system.webServer>Express.js (Node.js):
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
next();
});Before implementing HSTS, ensure that your entire application and all subdomains (if using 'includeSubDomains') are fully accessible over HTTPS with valid SSL/TLS certificates. Start with a shorter 'max-age' value during testing, then increase it once you've verified proper functionality.