HTTP security headers STS

Hi everyone, I’ve been using different tools to identify the http security headers implemented.

When I use the module “is_header_hsts_missing” from asserts throws me the following result: “Strict-Transport-Security HTTP header is insecure”

So when I use a scanner online, the scanner shows me the Strict-Transport-Security header is implemented, the same occurs when I use nikto
message from nikto: “‘strict-transport-security’ found, with contents: max-age=2592000”

Is the configuration for this header insecure? I read that configuration should include “includeSubDomains”.

the max-age is below the recommended threshold (31536000) and yes, should includeSubDomains (unless it is a REST API)

I am moving the topic to products-asserts.

@wizardly-knuth do you have any external reference to support our strictest policy?

For the includeSubDomain:

RFC 6797, section 14.4 advocates that a web application must aim to add the ‘includeSubDomain’ directive in the policy definition whenever possible. The directive’s presence ensures the HSTS policy is applied to the domain of the issuing host and all of its subdomains, e.g. example.com and www.example.com.

For the max-age 1 year is kind of a consensus and it’s recommended in may places around the web

  1. https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
  2. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
  3. https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/http-strict-transport-security-hsts-max-age-value-too-low/
2 Likes