HTTP Strict Transport Security header not available over HTTPS

Jijith Rajan

Published on

19 Jun 2018

1 min read

HSTS

HSTS (HTTP Strict Transport Security) is one of the critical web security policy mechanism. This vulnerability allows any web server to declare interactions using only secure HTTPS connections, and never via the insecure HTTP protocol. This mechanism protects websites against protocol downgrade attacks and cookie hijacking. When a browser reads this header, it will stop all the HTTP communications with the domain and will start an HTTPS communication with the domain.

There are many servers that parse data via an HTTP response rather than HTTPS responses. Due to this vulnerability, the browser will ignore the HSTS implementation and the users will not be able to take advantage of HSTS. Not having HSTS will make Man In The Middle (MITM) attacks easier for attackers.

Example

        Strict-Transport-Security: max-age=31536000

Impact

This vulnerability has the following impacts:-

Man in the middle attack There are a few ways where an end user will be prone to Man In The Middle (MITM) attack:-
If a user bookmarks a webpage as http://www.example.beaglesecurity.com rather than https://www.example.beaglesecurity.com.
If an HTTPS website has HTTP links.
If a server serves the data over HTTP.
The attacker will intercept using invalid certificates.

Mitigation / Precaution

Beagle recommends setting proper HTTP Strict Transport Security

        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Automated human-like penetration testing for your web apps & APIs

Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Product tour

Written by