Detections
Analytics
Permissive HTTP Strict Transport Security Policy Detected
low Web App Scanning Plugin ID 98715
Language:
Synopsis
Permissive HTTP Strict Transport Security Policy DetectedDescription
HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.The detected HSTS policy doesn't have long max-age value which is a representation (in milliseconds) determining the time in which the client's browser will adhere to the header policy or it doesn't cover subdomains via includeSubDomains directive.
Solution
The max-age must be set at least to 31536000 seconds (1 year) and includeSubDomains directive must be specified.See Also
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
https://tools.ietf.org/html/rfc6797
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
Plugin Details
Severity: Low
ID: 98715
Type: remote
Family: HTTP Security Header
Published: 10/1/2019
Updated: 4/22/2024
Scan Template: api, basic, config_audit, full, overview, pci, quick, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.3
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: Low
Base Score: 2.1
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Reference Information
OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A2
WASC: Insufficient Transport Layer Protection
DISA STIG: APSC-DV-000170, APSC-DV-001750
HIPAA: 164.312(a), 164.312(e)
ISO: 27001-A.10.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.5
NIST: sp800_53-IA-5(1), sp800_53-SC-13
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-9.1.1
PCI-DSS: 3.2-6.5.4