How To Test For Failure to Use HTTP Strict Transport Security (HSTS)

Testing For Failure to Use HTTP Strict Transport Security

If you are not familiar with the concept of HTTP Strict Transport Security (HSTS), we suggest that you review the article entitled “What is HTTP Strict Transport Security ?“.

It is not uncommon for web-application vulnerability scanners to report a “Failure To Use HSTS” in applications supporting HTTPS.  It is also easy to manually detect this vulnerability by examining responses to HTTPS requests.  Sites transferring sensitive information in HTTP requests or responses should include the Strict-Transport-Security HTTP header in all responses.  If the header is not present in even one response, the website is vulnerable.  It is particularly important that landing pages that user’s will bookmark or that will serve as link targets are protected with the  header.

For additional information about preventing and/or fixing this vulnerability within a web-application, please see the article entitled “How to Prevent the Failure to Use HTTP Strict Transport Security (HSTS)“.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and  train your developers and testers.  In fact, we train developers and IT staff how to hack applications and networks.

Perhaps it was a network scan or website vulnerability test that brought you here.  If so, you are likely researching how to find, fix, or avoid a particular vulnerability.  We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.

Contact us to learn how to better protect your enterprise.



Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.