[ST-116] Missing HTTP Strict Transport Security Header - Workterra Jira

XML

Word

Printable

Details

Type: Change Request
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
- Low
- Priority
- Security

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete - Closed
Issue Importance:
Must Have

Description

Vulnerability Description:
The HTTP Strict Transport Security (HSTS) policy header defines the timeframe in which a browser must connect to the webserver over HTTPS. Without this header being sent in all HTTPS responses, the webserver may be vulnerable to several attacks.

Impact
An attacker may be able to setup a fake web server and cause the application to make requests to an imitation server over HTTP.

Verification and Attack Information
Praetorian identified the lack of "Strict-Transport-Security" headers during an application walkthrough.

Recommendation
Add the HTTP Strict-Transport-Security header to all HTTPS responses. The syntax is as follows: Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]
The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

References
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

Attachments

Activity

People

Assignee:: Deepali Tidke (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Niteen Surwase (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 07/Apr/16 08:49 AM

Updated:: 15/Dec/20 02:40 AM

Resolved:: 23/Jun/16 10:04 AM