Protocol: Strict Transport Security¶
Identifier:
header_strict_transport_security
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner |
|---|---|---|
Description¶
HSTS is a way for websites to insist that browsers always connect using secure, encrypted channels. Without it, users might accidentally or unknowingly connect using plain HTTP, leaving data vulnerable to attackers who can intercept or tamper with whats sent. The risk is that an attacker could perform a downgrade attackforcing a secure session to drop to an insecure oneand then spy on or alter the communication. A common pitfall among developers is neglecting to implement HSTS at all or configuring it too loosely, which means even when HTTPS is available, users might still have a window of exposure to man-in-the-middle attacks.
References:
- https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Configuration¶
Example¶
Example configuration:
---
security_tests:
header_strict_transport_security:
assets_allowed:
- REST
- GRAPHQL
- WEBAPP
skip: false
Reference¶
assets_allowed¶
Type : List[AssetType]*
List of assets that this check will cover.
skip¶
Type : boolean
Skip the test if true.