Http Strict Transport Low Max Age
Description
Detects when HTTP Strict Transport Security (HSTS) is configured with an insufficient max-age value (less than 1 year/31536000 seconds). A low HSTS max-age reduces the security benefit of HSTS by requiring more frequent renewal of the strict transport policy, potentially exposing users to downgrade attacks during renewal periods.
Weakness:
131 - Insecure or unset HTTP headers - Strict Transport Security
Category: Protocol Manipulation
Detection Strategy
• Examines the Strict-Transport-Security HTTP response header for the max-age directive
• Reports a vulnerability if max-age is present but set to less than 31536000 seconds (1 year)
• Only triggers on responses that include an HSTS header with an explicit max-age value
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.