Strict Transport Security¶

Description¶

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standard track protocol specified in RFC 6797.

Remediation¶

Add Strict-Transport-Security header.

GraphQL Specific¶

Apollo

Implement HTTP Strict Transport Security (HSTS) by adding a 'Strict-Transport-Security' header to all responses with an appropriate 'max-age' directive. Ensure that the 'includeSubDomains' directive is set if all subdomains are to be included, and consider the 'preload' directive if you want the domain to be included in the HSTS preload list. Configure the Apollo framework to enforce HTTPS to prevent protocol downgrade attacks and cookie hijacking.

Yoga

Enable HTTP Strict Transport Security (HSTS) by adding the 'Strict-Transport-Security' header with an appropriate 'max-age' directive to the Yoga framework engine. This header ensures that browsers only communicate with the server over HTTPS, preventing man-in-the-middle attacks. Configure the Yoga server to send the header 'Strict-Transport-Security: max-age=31536000; includeSubDomains' with every response to enforce a secure connection for at least one year, including all subdomains.

Awsappsync

Ensure that AWS AppSync is configured to use HTTPS for all communications and enable Strict Transport Security by setting the 'Strict-Transport-Security' header in the response. This can be achieved by configuring a custom domain name for your AppSync API and using AWS CloudFront to serve the API over HTTPS with the appropriate security headers.

Graphqlgo

Implement HTTP Strict Transport Security (HSTS) by configuring your web server to add the 'Strict-Transport-Security' header to all responses. This header should specify a 'max-age' directive to indicate how long the browser should remember that the site should only be accessed using HTTPS. Optionally, include the 'includeSubDomains' directive if you want all subdomains to also use HSTS, and the 'preload' directive if you want to be included in the HSTS preload list. For a GraphQL Go framework engine, ensure that the web server sitting in front of the application, such as Nginx or Apache, is configured to send the appropriate HSTS header.

Graphqlruby

Implement HTTP Strict Transport Security (HSTS) by adding the `rack-ssl` gem to your Gemfile and configuring it to use the `Rack::SSL` middleware. This will ensure that all communications between the client and the server are conducted over HTTPS, preventing man-in-the-middle attacks. Additionally, set the `hsts` option to true in your GraphQL Ruby framework configuration to enforce HSTS headers in responses.

Hasura

Enable Strict Transport Security in Hasura by setting the 'strict-transport-security' header in the response. This can be done by configuring the web server hosting Hasura to add this header, or by using a reverse proxy that can inject the header. The header should be set to 'max-age=31536000; includeSubDomains; preload' to ensure that browsers only access Hasura using HTTPS for at least one year, including all subdomains, and to allow the domain to be preloaded into browsers' HSTS lists.

Agoo

Enable HTTPS and configure HTTP Strict Transport Security (HSTS) in the Agoo framework to ensure all communications are conducted over secure connections.

Ariadne

Ensure that the Ariadne framework engine is configured to enforce HTTPS connections by implementing HTTP Strict Transport Security (HSTS) as specified in RFC 6797.

Caliban

Ensure secure configuration of the Caliban framework by validating input data and implementing proper authentication and authorization mechanisms.

Dgraph

Ensure secure communication by configuring Dgraph to use HTTPS with a valid TLS/SSL certificate.

Dianajl

Implement input validation and output encoding in the DianaJL framework engine to prevent injection attacks.

Directus

Ensure all API endpoints in the Directus framework are secured with HTTPS and implement HTTP Strict Transport Security (HSTS) to enforce secure connections.

Flutter

Ensure secure data storage by using Flutter's secure storage package to encrypt sensitive information.

Graphene

Ensure proper input validation and sanitization in the Graphene framework to prevent injection attacks.

Graphqlapiforwp

Ensure secure authentication and authorization mechanisms are in place for the GraphQL API in the WP Engine framework to prevent unauthorized access and data exposure.

Graphqlgophergo

Implement input validation and output encoding to prevent injection attacks in GraphQL queries within the GopherGo framework.

Graphqljava

Enable query complexity analysis to prevent overly complex queries in GraphQL Java

Graphqlphp

Implement input validation and output encoding to prevent injection attacks in GraphQL queries within the graphqlphp framework.

Graphqlyoga

Enable validation rules to prevent malicious queries in the GraphQL Yoga framework

Hypergraphql

Ensure secure configuration and access controls for the HyperGraphQL engine to prevent unauthorized access and data exposure.

Jaal

Ensure the Jaal framework engine is updated to the latest version to mitigate known vulnerabilities.

Juniper

Ensure that the Juniper framework engine is configured to use secure coding practices, including input validation and output encoding, to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS).

Lacinia

Ensure secure configuration of the Lacinia framework by validating and sanitizing all inputs to prevent injection attacks.

Lighthouse

Ensure all resources are served over HTTPS to improve security and performance in the Lighthouse framework.

Mercurius

Ensure all routes in the Mercurius framework are protected with appropriate authentication and authorization mechanisms.

Morpheusgraphql

Ensure all GraphQL endpoints in the Morpheus GraphQL framework are secured with HTTPS and implement HSTS to enforce secure connections.

Qglgen

Ensure proper input validation and sanitization in the gqlgen framework to prevent injection vulnerabilities.

Sangria

Ensure proper input validation and sanitization in Sangria GraphQL queries to prevent injection attacks.

Shopify

Ensure all Shopify store connections are secured with HTTPS by enabling HTTP Strict Transport Security (HSTS) to enforce secure communication.

Stepzen

Ensure all API endpoints in the StepZen framework are configured to use HTTPS to secure data in transit.

Strawberry

Ensure secure session management by implementing strong session identifiers and using HTTPS for all session-related communications in the Strawberry Framework Engine.

Tartiflette

Ensure secure configuration of the Tartiflette engine by validating and sanitizing all inputs to prevent injection attacks.

Wpgraphql

Ensure proper authentication and authorization checks are implemented in WPGraphQL to prevent unauthorized access to sensitive data.

REST Specific¶

Asp_net

Implement HTTP Strict Transport Security (HSTS) in your ASP.NET application by adding the 'Strict-Transport-Security' header to your responses. This can be done by configuring the 'system.webServer' section in your web.config file or by using OWIN middleware to append the header for all outgoing responses. Ensure that the 'max-age' attribute is set to an appropriate duration and consider including the 'includeSubDomains' attribute if you want all subdomains to also enforce HSTS.

Ruby_on_rails

In Ruby on Rails, enable HSTS by setting the 'hsts' option in the 'force_ssl' configuration. Add the following line to your application's configuration file (config/environments/production.rb): 'config.force_ssl = true', which will automatically enforce HSTS with default settings. For custom HSTS options, use 'config.ssl_options = { hsts: { expires: 1.year, subdomains: false } }' to specify the expiry time and whether to include subdomains.

Next_js

Implement HTTP Strict Transport Security (HSTS) in your Next.js application by configuring the server to send the 'Strict-Transport-Security' header with an appropriate 'max-age' value. This ensures that browsers only communicate with your server over HTTPS. Additionally, consider setting the 'includeSubDomains' flag if you want all subdomains to also use HSTS, and the 'preload' flag if you intend to submit your site to the HSTS preload list for added security.

Laravel

In Laravel, enable HTTP Strict Transport Security (HSTS) by adding the 'StrictTransportSecurity' middleware to the 'web' middleware group in the 'app/Http/Kernel.php' file. This middleware can enforce HTTPS by sending the 'Strict-Transport-Security' header with an appropriate max-age directive.

Express_js

In Express.js, to enable HTTP Strict Transport Security (HSTS), use the 'helmet' middleware. Install it with 'npm install helmet' and include it in your application by adding 'app.use(helmet.hsts({ maxAge: 15552000 }))' to set a max-age of 180 days. Ensure all requests use HTTPS to prevent man-in-the-middle attacks.

Django

In Django, enable HSTS by setting the 'SECURE_HSTS_SECONDS' value in your settings.py file to a non-zero integer, which specifies the number of seconds browsers should remember to only access the site via HTTPS. Also, consider setting 'SECURE_HSTS_INCLUDE_SUBDOMAINS' to True to apply HSTS to all subdomains, and 'SECURE_HSTS_PRELOAD' to True if you intend to submit your site to the HSTS preload list.

Symfony

In Symfony, enable HTTP Strict Transport Security (HSTS) by configuring the 'nelmio_security' bundle. Add the 'forced_ssl' configuration under 'nelmio_security' in your 'config/packages/security.yaml' file, setting 'hsts_max_age' to a suitable value, 'hsts_include_subdomains' to true if you want to include subdomains, and 'hsts_preload' to true if you intend to submit your site to the HSTS preload list.

Spring_boot

In Spring Boot, enable HSTS by configuring the security headers in the application.properties or application.yml file. Set the security.require-ssl property to true and use the SecurityHeadersConfigurer to add the Strict-Transport-Security header with an appropriate max-age directive.

Flask

In Flask, enable HSTS by setting the 'Strict-Transport-Security' header. Use Flask-Talisman or set the header manually in responses. For example, response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'

Nuxt

Implement HSTS in Nuxt.js by adding the `helmet` package to set the `Strict-Transport-Security` header. Configure it in the server middleware to ensure all connections use HTTPS.

Fastapi

In FastAPI, ensure that all responses set the 'Strict-Transport-Security' header with an appropriate 'max-age' value. This can be achieved by using middleware to automatically add the header to all responses. For example, you can use the 'fastapi.middleware.httpsredirect.HTTPSRedirectMiddleware' to enforce HTTPS, which will also set the HSTS header for you.

Frappe

Ensure all database queries in the Frappe framework use parameterized queries to prevent SQL injection attacks.

Genzio

Ensure all data inputs in the Genzio framework engine are properly validated and sanitized to prevent injection attacks.

Gin

Implement middleware to enforce HTTPS using the gin framework by redirecting HTTP requests to HTTPS and setting the HSTS header to ensure secure connections.

Gorilla

Implement input validation and output encoding to prevent injection attacks in the Gorilla framework.

Hapi

Enable HSTS in the hapi framework by using the 'hapi-hsts' plugin to enforce HTTPS connections.

Hono

Ensure the Hono framework engine is configured to enforce HTTPS connections by implementing HTTP Strict Transport Security (HSTS) as specified in RFC 6797.

Jersey

Ensure secure configuration of Jersey framework by enabling HTTPS and validating input data to prevent vulnerabilities.

Koa

Implement CSRF protection middleware in Koa framework

Ktor

Enable HSTS in Ktor by configuring the HTTP server to include the 'Strict-Transport-Security' header in responses, ensuring all interactions occur over HTTPS.

Leptos

Ensure proper state management in Leptos framework by using reactive signals and effects to handle UI updates efficiently.

Macaron

Ensure secure session management by using encrypted cookies and setting appropriate cookie flags in the Macaron framework.

Phoenix

Enable HTTPS and configure HTTP Strict Transport Security (HSTS) in the Phoenix Framework to ensure all communications are secure and prevent protocol downgrade attacks.

Redwoodjs

Ensure secure data handling by using RedwoodJS's built-in GraphQL API with proper authentication and authorization mechanisms.

Rocket

Ensure all routes in Rocket framework enforce HTTPS by using the `rocket::config::Tls` configuration and redirecting HTTP requests to HTTPS.

Sveltekit

Ensure secure data handling by using SvelteKit's built-in form actions and server-side validation to prevent injection attacks.

Configuration¶

Identifier: protocol/header_strict_transport_security

Examples¶

Ignore this check¶

checks:
  protocol/header_strict_transport_security:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM06:2023
pci: 4.1
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.14.1
nist: SP800-52
fedramp: SC-8

Classification¶

CWE: 523

Score¶

CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS_SCORE: 4.3

References¶

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html