Detections
Analytics

HTTP Strict Transport Security Policy Detected

info Web App Scanning Plugin ID 112535

Language:

Synopsis

HTTP Strict Transport Security Policy Detected

Description

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.

The HSTS policy can be defined with the following settings :

 - max-age: the time, in seconds, that the browser should remember that a site is only to be accessed in HTTPS.

 - includeSubDomains (optional) : if this attribute is specified, the policy applies to all current site subdomains.

 - preload (optional) : Google maintains a compiled list of domains which is directly distributed in some browsers to enforce HTTPS without checking for the HSTS HTTP header. As the domain submission process is public, the preload attribute is used as a validation when a domain is submitted for preloading.

The scanner detected a HSTS policy on the target application.

See Also

https://hstspreload.org/

https://tools.ietf.org/html/rfc6797

https://www.chromium.org/hsts

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Plugin Details

Severity: Info

ID: 112535

Type: remote

Published: 7/27/2020

Updated: 3/25/2024

Scan Template: api, basic, config_audit, full, overview, pci, quick, scan