How To Prevent the Failure to Use HTTP Strict Transport Security (HSTS)

Preventing Failure to Use Strict Transport Security

If you are not familiar with the concept of HTTP Strict Transport Security (HSTS), we suggest that you review the article entitled “What is HTTP Strict Transport Security ?“.

For additional information about detecting the “Failure to Use HTTP Strict Transport Security (HSTS)” vulnerability within a web-application, please see the article entitled “How To Test For the Failure to Use HTTP Strict Transport Security (HSTS)“.

The Strict-Transport-Security Header

Note that it is NOT the default behavior of the browser to ensure that a site serving HTTP content over TLS/SSL (i.e. HTTPS) be required to use HTTPS for all content.

As defined in IETF RFC6797 , a client browser is instructed to enforce Strict Transport Security using the following HTTP Response Header:

Strict-Transport-Security: max-age=86400; includeSubDomains

The required “max-age” attribute specifies the desired enforcement period the site is requesting, represented in seconds.  During this “enforcement period”, the Browser is authorized to transparently convert any HTTP requests to the indicated domain into HTTPS requests.  The optional but strongly recommended “includeSubDomains” attribute, further empowers the Browser to apply the directive to all sub-domains of the requested URL.

It is recommended that minimally, HSTS hosts should declare HSTS policy at their top-level domain name and for any pages that might be bookmarked or directly referenced by users.  However, unless there is a design limitation preventing it (such as the need to separately support both HTTP and HTTPS), we recommend that ALL pages of an HTTPS site return the Strict-Transport-Security header in all responses.

This solution approach actually simplifies things because it allows a single global solution like a servlet filter or configuration option to be employed.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and  train your developers and testers.  In fact, we train developers and IT staff how to hack applications and networks.

Perhaps it was a network scan or website vulnerability test that brought you here.  If so, you are likely researching how to find, fix, or avoid a particular vulnerability.  We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.

Contact us to learn how to better protect your enterprise.



Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.