HTTP Strict Transport Security header not available over HTTPS

Jijith Rajan
Published on
19 Jun 2018
1 min read

HSTS (HTTP Strict Transport Security) is one of the critical web security policy mechanism. This vulnerability allows any web server to declare interactions using only secure HTTPS connections, and never via the insecure HTTP protocol. This mechanism protects websites against protocol downgrade attacks and cookie hijacking. When a browser reads this header, it will stop all the HTTP communications with the domain and will start an HTTPS communication with the domain.

There are many servers that parse data via an HTTP response rather than HTTPS responses. Due to this vulnerability, the browser will ignore the HSTS implementation and the users will not be able to take advantage of HSTS. Not having HSTS will make Man In The Middle (MITM) attacks easier for attackers.


        Strict-Transport-Security: max-age=31536000



This vulnerability has the following impacts:-

  • Man in the middle attack There are a few ways where an end user will be prone to Man In The Middle (MITM) attack:-

  • If a user bookmarks a webpage as rather than
  • If an HTTPS website has HTTP links.
  • If a server serves the data over HTTP.
  • The attacker will intercept using invalid certificates.

Mitigation / Precaution

Beagle recommends setting proper HTTP Strict Transport Security

        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.