Http Include Subdomains Not Enabled
Description
Detects when a web application has HSTS (HTTP Strict Transport Security) enabled but is missing the includeSubDomains directive. This configuration gap leaves subdomains vulnerable to downgrade attacks since they aren't forced to use HTTPS, potentially allowing attackers to intercept traffic on subdomains.
Weakness:
131 - Insecure or unset HTTP headers - Strict Transport Security
Category: Protocol Manipulation
Detection Strategy
• Checks if the Strict-Transport-Security header is present in HTTP responses
• Verifies if the includeSubDomains directive is explicitly set in the HSTS header
• Reports a vulnerability if HSTS is enabled but includeSubDomains is missing or set to false
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.