The HTTP Strict Transport Security (HSTS) feature lets a web application to inform the browser, through the use of a special response header, that it should never establish a connection to the the specified domain servers using HTTP. Instead it should automatically establish all connection requests to access the site through HTTPS.
- Test HTTP Strict Transport Security (WSTG-CONF-07)
- HTTP Strict Transport Security Cheat Sheet (OWASP)
- Strict transport security not enforced (PortSwigger)
- HTTP Strict Transport Security (HSTS) Policy Not Enabled (Netsparker)
- What Is HSTS and Why Should I Use It? (Acunetix)
HSTS IS DANGEROUS WHEN NOT PROPERLY MANAGED. SKIP THIS TEST.
If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates.
Check Strict-Transport-security (HSTS) header
curl -s -D- https://domain.com/ | grep Strict
Result expected:
Strict-Transport-Security: max-age=...