1. Introduction
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS (HTTP Strict Transport Security) tells browsers to only connect via HTTPS. Without it, attackers can use downgrade attacks like SSL-stripping and cookie hijacking becomes easier. This affects any public-facing website using HTTPS. A lack of HSTS weakens the security of web communications, potentially compromising confidentiality, integrity, and availability of user data.
2. Technical Explanation
The vulnerability occurs when a web server does not include the `Strict-Transport-Security` header in its HTTPS responses. This allows attackers to intercept traffic and force connections over insecure HTTP. An attacker could perform a man-in-the-middle attack, stripping away the HTTPS encryption and stealing sensitive information. The preconditions are that the target website uses HTTPS but doesn’t have HSTS enabled.
- Root cause: Missing `Strict-Transport-Security` header in HTTP responses.
- Exploit mechanism: An attacker intercepts an HTTPS connection, redirects it to HTTP, and steals data transmitted over the unencrypted channel.
- Scope: Web servers using HTTPS without HSTS configured. Affected platforms include Apache, Nginx, IIS, and other web server software.
3. Detection and Assessment
You can confirm if a system is vulnerable by checking for the presence of the HSTS header in its responses. Use browser developer tools or command-line utilities to inspect HTTP headers.
- Quick checks: Use your browser’s developer tools (Network tab) and check the response headers for `Strict-Transport-Security`.
- Scanning: Nessus plugin ID 34867, OpenVAS scan script http_hsts_missing. These are examples only.
- Logs and evidence: Web server access logs may not directly indicate this issue; focus on header inspection.
curl -I https://example.com | grep Strict-Transport-Security4. Solution / Remediation Steps
Configure the remote web server to use HSTS by adding the `Strict-Transport-Security` header to its HTTPS responses. Ensure proper configuration to avoid issues with browser compatibility and subdomain handling.
4.1 Preparation
- Ensure you have access to modify the web server’s configuration. Roll back by reverting the configuration file to its previous state.
- A change window may be needed, depending on your environment. Approval from a security or infrastructure team might be necessary.
4.2 Implementation
- Step 1: Edit your web server’s configuration file (e.g., Apache’s httpd.conf, Nginx’s nginx.conf).
- Step 2: Add the `Strict-Transport-Security` header to the HTTPS virtual host configuration.
- Step 3: Restart the web server to apply the changes.
4.3 Config or Code Example
Before
# No HSTS header configuredAfter
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue and improve overall web server security. These include secure headers, patch cadence, and regular security assessments.
- Practice 1: Secure Headers – Implementing HSTS is a key component of a robust secure header configuration.
- Practice 2: Patch Cadence – Regularly updating your web server software ensures you have the latest security fixes.
4.5 Automation (Optional)
If using infrastructure-as-code, automate the addition of HSTS headers to your web server configurations.
# Example Ansible task:
- name: Add HSTS header to Nginx configuration
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^http {'
insertafter: '^http {'
line: ' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";'5. Verification / Validation
Confirm the fix by checking for the HSTS header in your browser or using a command-line tool. Verify that all HTTPS traffic is redirected to HTTPS and that cookies are only sent over secure connections.
- Post-fix check: `curl -I https://example.com | grep Strict-Transport-Security` should now show the header present.
- Re-test: Re-run the earlier detection method (browser developer tools) to confirm the header is present.
- Smoke test: Verify that your website loads correctly over HTTPS and all functionality works as expected.
- Monitoring: Monitor web server logs for any errors related to HSTS configuration or redirection issues.
curl -I https://example.com | grep Strict-Transport-Security6. Preventive Measures and Monitoring
Update security baselines to include HSTS as a mandatory setting. Implement automated checks in your CI/CD pipelines to ensure that all new web server configurations include the necessary headers. Regularly review patch cycles for your web server software.
- Baselines: Update CIS benchmarks or internal security policies to require HSTS configuration.
- Pipelines: Add SAST or DAST tools to scan for missing HSTS headers during deployment.
7. Risks, Side Effects, and Roll Back
Incorrect HSTS configuration can cause browser compatibility issues. Ensure proper subdomain handling to avoid blocking access to legitimate resources. If problems occur, roll back the configuration change by reverting to the previous state.
- Risk or side effect 1: Incorrect `max-age` value may block access for some users. Mitigation: Start with a short `max-age` and gradually increase it.
- Risk or side effect 2: Subdomain misconfiguration can cause connectivity issues. Mitigation: Carefully review subdomain handling in the HSTS configuration.
- Roll back: Revert the web server configuration file to its previous state and restart the service.
8. References and Resources
- Vendor advisory or bulletin: Check your web server vendor’s documentation for HSTS configuration guidelines.
- NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2018-1300
- Product or platform documentation relevant to the fix: https://tools.ietf.org/html/rfc6797