Overview
HTTP Strict Transport Security (HSTS) is a web security policy mechanism defined in RFC 6797 that instructs browsers to interact with a site exclusively over HTTPS for a declared period. When the Strict-Transport-Security response header is absent, browsers treat HTTP and HTTPS as equally acceptable transports, leaving users vulnerable to SSL-stripping attacks and unintended cleartext communication — even if the server enforces redirects from HTTP to HTTPS.
Sensagraph automatically detects missing or misconfigured HSTS headers during its continuous scanning of web properties.
How it works
Without HSTS, the following attack surface exists:
- First-visit exposure: A user's first request to a site (or a request made after the HSTS cache entry expires) is typically sent as plain HTTP before any server redirect to HTTPS. An on-path attacker can intercept this initial request.
- SSL stripping: An attacker performing a man-in-the-middle (MitM) attack can silently downgrade an HTTPS connection to HTTP using tools like sslstrip. The server issues a 301/302 redirect, but the attacker intercepts it and proxies the connection over HTTP, while maintaining an HTTPS session with the server. The victim's browser receives only HTTP.
- Mixed-content and bookmark issues: Users who bookmarked or typed the
http://variant bypass HTTPS entirely, and without HSTS there is no browser-enforced upgrade. - Cookie theft: Session cookies not marked with the
Secureflag can be transmitted over the downgraded HTTP connection, allowing session hijacking. - Expired or missing max-age: A header present with
max-age=0effectively revokes HSTS, creating the same risk as its complete absence.
The Strict-Transport-Security header syntax is:
Strict-Transport-Security: max-age=<seconds>[; includeSubDomains][; preload]
Once a browser receives a valid HSTS header, it will automatically upgrade all future HTTP requests to HTTPS for the domain for the duration of max-age, without making an initial HTTP request.
Business impact
The absence of HSTS can have significant consequences, particularly for applications that handle authentication, payments, or personal data:
- Credential and session theft: Attackers on shared networks (e.g., public Wi-Fi) can intercept login credentials and session tokens via SSL stripping or passive eavesdropping on HTTP traffic.
- Data integrity violation: Content served over HTTP can be injected with malicious scripts, advertisements, or redirects by a MitM attacker.
- Regulatory and compliance risk: PCI DSS, HIPAA, and GDPR mandates for data-in-transit protection may be considered unmet if transport security controls are weak or bypassable.
- Reputational damage: A successful MitM attack that exposes user data can erode customer trust and trigger public disclosure obligations.
How to fix it
- Set the Strict-Transport-Security header on all HTTPS responses. Configure the header at the web server or application layer. A minimum recommended
max-ageis 31536000 seconds (one year):Strict-Transport-Security: max-age=31536000; includeSubDomains - Include
includeSubDomainsto extend HSTS enforcement to all subdomains, preventing attackers from bypassing HSTS by targeting a subdomain over HTTP. - Add the
preloaddirective and submit your domain to the HSTS Preload List to eliminate first-visit vulnerability. Note that preloading requiresincludeSubDomainsand amax-ageof at least 31536000. - Ensure the header is sent only over HTTPS. Sending HSTS over HTTP is ignored by browsers and may cause configuration issues; send it exclusively from HTTPS responses.
- Do not set
max-age=0except when intentionally revoking HSTS (e.g., prior to decommissioning HTTPS on a domain). - Ensure all HTTP traffic is redirected to HTTPS (HTTP 301) before relying on HSTS, so that the header is ultimately delivered to all clients.
- Verify configuration in major web servers:
- Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" - IIS: Add a custom response header via the HTTP Response Headers feature or
web.config.
- Nginx:
References
- RFC 6797 – HTTP Strict Transport Security (HSTS) – IETF
- OWASP Secure Headers Project – Strict-Transport-Security
- OWASP Top 10 A05:2021 – Security Misconfiguration
- CWE-319 – Cleartext Transmission of Sensitive Information – MITRE
- Strict-Transport-Security – MDN Web Docs
- HSTS Preload List Submission – hstspreload.org