Vulnerabilities / HSTS header does not protect subdomains
PCI-DSS -> 4.1, 6.5.4
The application is setting the
Strict-Transport-Security header but with an insecure value, specifically without the
includeSubdomains option. The
includeSubdomains option will extend the benefit of the header to the subdomains, preventing situations where the attacker registers (or takes over) a subdomain and leverages that read session cookies from the parent domain.
How to fix
The application should set the
Strict-Transport-Securityheader with secure values. You just need to add the
A secure header will look like this:
With the option
includeSubdomains, all requests to URLs in the current domain and subdomains will go over HTTPS. When you set
includeSubdomainsmake sure you can serve all requests over HTTPS! It is, however, important that you add the option
includeSubdomainswhenever is possible.