HTTP Strict Transport Security header not available over HTTPS

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 OWASP PC-C10 CWE-16 ISO27001-A.14.1.2 WASC-15 WSTG-CONF-07

HSTS (HTTP Strict Transport Security) is one of the critical web security policy mechanism. This vulnerability allows any web server to declare interactions using only secure HTTPS connections, and never via the insecure HTTP protocol. This mechanism protects websites against protocol downgrade attacks and cookie hijacking. When a browser reads this header, it will stop all the HTTP communications with the domain and will start an HTTPS communication with the domain.

There are many servers that parse data via an HTTP response rather than HTTPS responses. Due to this vulnerability, the browser will ignore the HSTS implementation and the users will not be able to take advantage of HSTS. Not having HSTS will make Man In The Middle (MITM) attacks easier for attackers.


        Strict-Transport-Security: max-age=31536000



This vulnerability has the following impacts:-

  • Man in the middle attack There are a few ways where an end user will be prone to Man In The Middle (MITM) attack:-

  • If a user bookmarks a webpage as rather than
  • If an HTTPS website has HTTP links.
  • If a server serves the data over HTTP.
  • The attacker will intercept using invalid certificates.

Mitigation / Precaution

Beagle recommends setting proper HTTP Strict Transport Security

        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload


Related Articles