Strict Transport Security

Description

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standard track protocol specified in RFC 6797.

Remediation

Add Strict-Transport-Security header.

GraphQL Specific

Apollo

Implement HTTP Strict Transport Security (HSTS) by adding a 'Strict-Transport-Security' header to all responses with an appropriate 'max-age' directive. Ensure that the 'includeSubDomains' directive is set if all subdomains are to be included, and consider the 'preload' directive if you want the domain to be included in the HSTS preload list. Configure the Apollo framework to enforce HTTPS to prevent protocol downgrade attacks and cookie hijacking.

Yoga

Enable HTTP Strict Transport Security (HSTS) by adding the 'Strict-Transport-Security' header with an appropriate 'max-age' directive to the Yoga framework engine. This header ensures that browsers only communicate with the server over HTTPS, preventing man-in-the-middle attacks. Configure the Yoga server to send the header 'Strict-Transport-Security: max-age=31536000; includeSubDomains' with every response to enforce a secure connection for at least one year, including all subdomains.

Awsappsync

Ensure that AWS AppSync is configured to use HTTPS for all communications and enable Strict Transport Security by setting the 'Strict-Transport-Security' header in the response. This can be achieved by configuring a custom domain name for your AppSync API and using AWS CloudFront to serve the API over HTTPS with the appropriate security headers.

Graphqlgo

Implement HTTP Strict Transport Security (HSTS) by configuring your web server to add the 'Strict-Transport-Security' header to all responses. This header should specify a 'max-age' directive to indicate how long the browser should remember that the site should only be accessed using HTTPS. Optionally, include the 'includeSubDomains' directive if you want all subdomains to also use HSTS, and the 'preload' directive if you want to be included in the HSTS preload list. For a GraphQL Go framework engine, ensure that the web server sitting in front of the application, such as Nginx or Apache, is configured to send the appropriate HSTS header.

Graphqlruby

Implement HTTP Strict Transport Security (HSTS) by adding the rack-ssl gem to your Gemfile and configuring it to use the Rack::SSL middleware. This will ensure that all communications between the client and the server are conducted over HTTPS, preventing man-in-the-middle attacks. Additionally, set the hsts option to true in your GraphQL Ruby framework configuration to enforce HSTS headers in responses.

Hasura

Enable Strict Transport Security in Hasura by setting the 'strict-transport-security' header in the response. This can be done by configuring the web server hosting Hasura to add this header, or by using a reverse proxy that can inject the header. The header should be set to 'max-age=31536000; includeSubDomains; preload' to ensure that browsers only access Hasura using HTTPS for at least one year, including all subdomains, and to allow the domain to be preloaded into browsers' HSTS lists.

REST Specific

Asp_net

Implement HTTP Strict Transport Security (HSTS) in your ASP.NET application by adding the 'Strict-Transport-Security' header to your responses. This can be done by configuring the 'system.webServer' section in your web.config file or by using OWIN middleware to append the header for all outgoing responses. Ensure that the 'max-age' attribute is set to an appropriate duration and consider including the 'includeSubDomains' attribute if you want all subdomains to also enforce HSTS.

Ruby_on_rails

In Ruby on Rails, enable HSTS by setting the 'hsts' option in the 'force_ssl' configuration. Add the following line to your application's configuration file (config/environments/production.rb): 'config.force_ssl = true', which will automatically enforce HSTS with default settings. For custom HSTS options, use 'config.ssl_options = { hsts: { expires: 1.year, subdomains: false } }' to specify the expiry time and whether to include subdomains.

Next_js

Implement HTTP Strict Transport Security (HSTS) in your Next.js application by configuring the server to send the 'Strict-Transport-Security' header with an appropriate 'max-age' value. This ensures that browsers only communicate with your server over HTTPS. Additionally, consider setting the 'includeSubDomains' flag if you want all subdomains to also use HSTS, and the 'preload' flag if you intend to submit your site to the HSTS preload list for added security.

Laravel

In Laravel, enable HTTP Strict Transport Security (HSTS) by adding the 'StrictTransportSecurity' middleware to the 'web' middleware group in the 'app/Http/Kernel.php' file. This middleware can enforce HTTPS by sending the 'Strict-Transport-Security' header with an appropriate max-age directive.

Express_js

In Express.js, to enable HTTP Strict Transport Security (HSTS), use the 'helmet' middleware. Install it with 'npm install helmet' and include it in your application by adding 'app.use(helmet.hsts({ maxAge: 15552000 }))' to set a max-age of 180 days. Ensure all requests use HTTPS to prevent man-in-the-middle attacks.

Django

In Django, enable HSTS by setting the 'SECURE_HSTS_SECONDS' value in your settings.py file to a non-zero integer, which specifies the number of seconds browsers should remember to only access the site via HTTPS. Also, consider setting 'SECURE_HSTS_INCLUDE_SUBDOMAINS' to True to apply HSTS to all subdomains, and 'SECURE_HSTS_PRELOAD' to True if you intend to submit your site to the HSTS preload list.

Symfony

In Symfony, enable HTTP Strict Transport Security (HSTS) by configuring the 'nelmio_security' bundle. Add the 'forced_ssl' configuration under 'nelmio_security' in your 'config/packages/security.yaml' file, setting 'hsts_max_age' to a suitable value, 'hsts_include_subdomains' to true if you want to include subdomains, and 'hsts_preload' to true if you intend to submit your site to the HSTS preload list.

Spring_boot

In Spring Boot, enable HSTS by configuring the security headers in the application.properties or application.yml file. Set the security.require-ssl property to true and use the SecurityHeadersConfigurer to add the Strict-Transport-Security header with an appropriate max-age directive.

Flask

In Flask, enable HSTS by setting the 'Strict-Transport-Security' header. Use Flask-Talisman or set the header manually in responses. For example, response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'

Nuxt

Implement HSTS in Nuxt.js by adding the helmet package to set the Strict-Transport-Security header. Configure it in the server middleware to ensure all connections use HTTPS.

Fastapi

In FastAPI, ensure that all responses set the 'Strict-Transport-Security' header with an appropriate 'max-age' value. This can be achieved by using middleware to automatically add the header to all responses. For example, you can use the 'fastapi.middleware.httpsredirect.HTTPSRedirectMiddleware' to enforce HTTPS, which will also set the HSTS header for you.

Configuration

Identifier: protocol/header_strict_transport_security

Examples

Ignore this check

checks:
  protocol/header_strict_transport_security:
    skip: true

Score

• Escape Severity: LOW

Compliance

• OWASP: API7:2023
• pci: 4.1
• gdpr: Article-32
• soc2: CC6
• psd2: Article-95
• iso27001: A.14.1
• nist: SP800-52
• fedramp: SC-8

Classification

Score

References

• https://owasp.org/www-community/Security_Headers
  • https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
  • https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html