HTTP Strict Transport Security (HSTS) Missing

Medium Severity Technical Guide

Vulnerability Description

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against cookie hijacking and protocol downgrade attacks (like SSL stripping). It forces user agents (like browsers) to only interact with the website using secure HTTPS connections, never over plaintext HTTP.

Remediation Guide

To resolve this vulnerability, follow these config changes or developer practices:

To enable HSTS, add the Strict-Transport-Security header to all secure HTTPS responses. The max-age directive specifies how long the browser should remember this policy (e.g. 1 year):

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Verify Your Fix

After applying the remediation, run an external attack-surface scan to verify that the vulnerability is no longer detected by WebScanify.

Is your website vulnerable?

Run a free security scan now to identify missing headers, outdated JS, and other deployment vulnerabilities.

HTTP Strict Transport Security (HSTS) Missing

Vulnerability Description

Remediation Guide

Verify Your Fix

Share this Guide

Is your website vulnerable?