Enable HSTS

The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Security Assessment

Security_Assessment_EnableHSTS

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Guides

Use the following guides to set the correct header enabling HSTS.

Let's Encrypt

With Let's Encrypt it is very easy to enable HSTS. When creating a new certificate just ad the --hsts flag. If your certificates are already generated by Let's Encrypt, just run the same command and choose "Attempt to reinstall this existing certificate" as the first option. This will reuse your certificate and just enable HSTS stapling.

enablehsts

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/hsts/lets_encrypt

Apache

On Apache you need to update your SSL configuration to include the correct Header directives. Add this to the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

enablehsts (1)

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/hsts/apache

nginx

On Nginx you need to update your SSL configuration which is usually located at /etc/nginx/nginx.conf/etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS) to include the correct header with the add_header directives:

enablehsts (2)

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/hsts/nginx

For more information about Crashtest Security visit crashtest-security.com