Protocol: Strict Transport Security¶

Identifier: header_strict_transport_security

Scanner(s) Support¶

Description¶

HSTS ensures browsers always connect using secure, encrypted channels. Without it, users might connect using plain HTTP, leaving data vulnerable to attackers who can intercept or tamper with communications, potentially enabling downgrade attacks.

How we test: We analyze HTTP response headers to detect if the Strict-Transport-Security header is missing or misconfigured. We check if HSTS is properly implemented with appropriate max-age values and includeSubDomains directives to prevent man-in-the-middle attacks.

References:

• https://owasp.org/www-community/Security_Headers
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  header_strict_transport_security:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.