Vulnerabilities / HSTS header with low duration
PCI-DSS -> 4.1, 6.5.4
The application is setting the
Strict-Transport-Security header but with an insecure value, specifically with a low
max-age value. A low
max-age value means browsers will remember that the site is only to be accessed using HTTPS for a short time. Every time the
max-age expires, the browser will allow HTTP requests to be made to the site, thus putting whatever information is being transmitted at risk of being intercepted by an attacker. The lower the value, the more likely for HTTP requests to be allowed and more chances of putting the information at risk.
How to fix
The application should set the
Strict-Transport-Securityheader with secure values. You just need to increase the
max-agevalue to a higher value.
A secure header will look like this:
max-agevalue is set to 6 months to increase the chances of the browser remembering that the site is only to be accessed using HTTPS, therefore protecting the user. If the user visits the site again in the 6 months window, which is likely if the user visits the site frequently, it will make the browser remember the setting for another 6 months, thus protecting the user almost constantly.