Security Test: Strict Transport Security¶

Description¶

Default Severity:

HSTS is a way for websites to insist that browsers always connect using secure, encrypted channels. Without it, users might accidentally or unknowingly connect using plain HTTP, leaving data vulnerable to attackers who can intercept or tamper with what’s sent. The risk is that an attacker could perform a downgrade attack—forcing a secure session to drop to an insecure one—and then spy on or alter the communication. A common pitfall among developers is neglecting to implement HSTS at all or configuring it too loosely, which means even when HTTPS is available, users might still have a window of exposure to man-in-the-middle attacks.

Reference:

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Identifier: protocol/header_strict_transport_security

Examples¶

All configuration available:

checks:
  protocol/header_strict_transport_security:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`4.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.14.1`
NIST	`SP800-52`
FedRAMP	`SC-8`
CWE	`523`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
CVSS Score	`4.3`