Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-116

Missing HTTP Strict Transport Security Header

    Details

    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have

      Description

      Vulnerability Description:
      The HTTP Strict Transport Security (HSTS) policy header defines the timeframe in which a browser must connect to the webserver over HTTPS. Without this header being sent in all HTTPS responses, the webserver may be vulnerable to several attacks.

      Impact
      An attacker may be able to setup a fake web server and cause the application to make requests to an imitation server over HTTP.

      Verification and Attack Information
      Praetorian identified the lack of "Strict-Transport-Security" headers during an application walkthrough.

      Recommendation
      Add the HTTP Strict-Transport-Security header to all HTTPS responses. The syntax is as follows: Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]
      The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

      References
      https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment -

          Steps to Configure Server for HTTP Strict Transport Security Header

          1. Open IIS Manager and Select Project (Site).

          2. Open "HTTP Response Header" and Click on "Add" button from Actions pane.

          3. Add following Name and Value:
          Name: Strict-Transport-Security
          Value : max-age=31536000; includeSubDomains

          Note : This will edit Web.Config file of Web Projects

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - Steps to Configure Server for HTTP Strict Transport Security Header 1. Open IIS Manager and Select Project (Site). 2. Open " HTTP Response Header " and Click on " Add " button from Actions pane. 3. Add following Name and Value: Name : Strict-Transport-Security Value : max-age=31536000; includeSubDomains Note : This will edit Web.Config file of Web Projects
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited

          Path To Test :

          1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)

          2. Check Response Headers of all files --> Strict-Transport-Security attribute is added.

          3. It has 2 parameters max-age=31536000 and includeSubDomains.

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited Path To Test : 1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5) 2. Check Response Headers of all files --> Strict-Transport-Security attribute is added. 3. It has 2 parameters max-age=31536000 and includeSubDomains .
          Hide
          Permalink
          amitg Amit Gude (Inactive) added a comment -

          Assigning to Zeeshan

          Show
          amitg Amit Gude (Inactive) added a comment - Assigning to Zeeshan
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified as Strict-Transport-Security header is implemented to
          max-age=31536000; includeSubDomains

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified as Strict-Transport-Security header is implemented to max-age=31536000; includeSubDomains
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified on stage as Strict-Transport-Security header is implemented to
          max-age=31536000; includeSubDomains

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified on stage as Strict-Transport-Security header is implemented to max-age=31536000; includeSubDomains
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Strict-Transport-Security
          max-age=31536000; includeSubDomains header is added on Production Server confirmed the same.

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Strict-Transport-Security max-age=31536000; includeSubDomains header is added on Production Server confirmed the same.
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          as discussed with Niteen no functional testing is involved here , can close this ticket.

          Show
          deepalit Deepali Tidke (Inactive) added a comment - as discussed with Niteen no functional testing is involved here , can close this ticket.

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: