HTTP Strict Transport Security (HSTS) not set

What this means

HTTP Strict Transport Security (HSTS) is a security policy mechanism that enforces secure (HTTPS) connections to a website.

When HSTS is not set, browsers may default to HTTP, potentially exposing data to interception.

Why this is a problem

Without a HSTS policy, a browser may connect to the site on HTTP.

Attackers can perform a man in the middle attack to cause a downgrade to HTTP, then intercept HTTP connections, leading to data theft or injection of malicious content.

Users can accidentally be tricked into using HTTP instead of HTTPS, exposing sensitive data during transmission.

The absence of a HSTS policy undermines user confidence in the website’s security and privacy practices.

How to check if the problem is there

Check the web server configuration files for presence of a HSTS header file or HSTS policy configuration.

How to fix this

Configure the webserver to include the Strict-Transport-Security header in HTTP responses with a max-age directive to specify the duration for which the browser should enforce HTTPS.

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• max-age=31536000: Ensures HTTPS is enforced for one year.
• includeSubDomains: This applies the policy to all subdomains.
• preload: Allows the domain to be added to browser preload lists.

Ensure your website redirects all HTTP traffic to HTTPS to reinforce secure connections.

Submit your site to the HSTS preload list to ensure that browsers will only connect to your site over HTTPS, even before the first request.

Continuously monitor the implementation to ensure the HSTS header is set correctly and effectively prevents non-secure connections.