Configuration Management / Strict Transport Security Not Enforced

HTTP Strict-Transport-Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. A configuration management vulnerability occurs when the HSTS header is not sent, allowing a malicious attacker to intercept the traffic between the user and the server, potentially stealing sensitive data.

The risk of this vulnerability is high as it allows for data to be intercepted and stolen by malicious actors. The unauthorized access to sensitive data can lead to financial losses, identity theft, and data leakage. Additionally, attackers can use the intercepted data to launch attacks, like phishing campaigns and other malicious activities.

The best way to fix this vulnerability is to enforce the HSTS header. This can be done by adding an appropriate setting in the web server configuration file. Additional information are provided in the OWASP Cheat Sheet

HTTP Strict-Transport-Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. A configuration management vulnerability occurs when the HSTS header is not sent, allowing a malicious attacker to intercept the traffic between the user and the server, potentially stealing sensitive data.

The risk of this vulnerability is high as it allows for data to be intercepted and stolen by malicious actors. The unauthorized access to sensitive data can lead to financial losses, identity theft, and data leakage. Additionally, attackers can use the intercepted data to launch attacks, like phishing campaigns and other malicious activities.

The best way to fix this vulnerability is to enforce the HSTS header. This can be done by adding an appropriate setting in the web server configuration file. Additional information are provided in the OWASP Cheat Sheet