Fixing Missing HTTP Strict Transport Security (HSTS)
Vulnerability assessment details, CWE reference metrics, and complete code-level patches.
Threat Profile
Vulnerability Analysis
HSTS instructs the browser to only connect to the domain using HTTPS. If missing, attackers can hijack connections and redirect users to unencrypted HTTP sites (SSL Stripping).
How it is Detected
Identified by inspecting response headers for the 'Strict-Transport-Security' parameter.
Remediation Guidelines
Deploy the HSTS header with a large max-age value and apply it to all subdomains.
Remediation Script (Nginx server block)
# SECURE REMEDIATION: Enforce HSTS (2 years, include subdomains)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;Frequently Asked Questions
What is HSTS?
HSTS is a security header that tells browsers to enforce HTTPS connections, blocking plaintext redirects.
What does the 'preload' flag do?
It submits your site to a global preload list built into modern browsers, ensuring the very first connection is HTTPS.
Does HSTS affect local environments?
Yes, if not configured correctly, it can break local HTTP development sites. Use local development subdomains instead.
Related Vulnerability Profiles
SQL Injection (SQLi)
Attackers execute arbitrary SQL commands, bypassing authentication and manipulating database schemas.
Stored Cross-Site Scripting (Stored XSS)
Malicious scripts are stored on the server (e.g. database) and executed when users request the compromised resource.
Reflected Cross-Site Scripting (Reflected XSS)
Malicious scripts are reflected off the web server (e.g. search queries) and executed immediately in the user's browser.
DOM-based Cross-Site Scripting (DOM XSS)
Vulnerability where the client-side JavaScript processes inputs in an unsafe way (e.g. using eval or innerHTML).