Configuration Management / Strict Transport Security Misconfiguration

The application cannot prevent users from connecting to it via unencrypted connections. Without this header or a misconfigured header, an attacker who is able to modify the network traffic of a legitimate user could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacking its users. This attack occurs by rewriting HTTPS links as HTTP so that if a targeted user follows a link from an HTTP page to the Web site, his or her browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi or a corporate or home network shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker residing at the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced attacker could potentially attack any connection through the core infrastructure of the Internet.

The application should instruct web browsers to access the application via HTTPS only. To do this, enable HTTP-Strict-Transport-Security (HSTS) by adding a response header named Strict-Transport-Security and the value max-age=expireTime, where expireTime is the time in seconds that should remind browsers to access the Web site only over HTTPS. Consider adding the flag includeSubDomains if necessary.

The application cannot prevent users from connecting to it via unencrypted connections. Without this header or a misconfigured header, an attacker who is able to modify the network traffic of a legitimate user could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacking its users. This attack occurs by rewriting HTTPS links as HTTP so that if a targeted user follows a link from an HTTP page to the Web site, his or her browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi or a corporate or home network shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker residing at the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced attacker could potentially attack any connection through the core infrastructure of the Internet.

The application should instruct web browsers to access the application via HTTPS only. To do this, enable HTTP-Strict-Transport-Security (HSTS) by adding a response header named Strict-Transport-Security and the value max-age=expireTime, where expireTime is the time in seconds that should remind browsers to access the Web site only over HTTPS. Consider adding the flag includeSubDomains if necessary.