The web server does not offer HTTP Strict Transport Security. HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.
CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
HTTP Strict Transport Security (HSTS) is a web security policy that ensures that browsers always use HTTPS to connect to websites. Part of its purpose is to remove the need to redirect users from HTTP to HTTPS website versions or secure any such redirects.
This is achieved with the HSTS header that the server sends back to the client at the beginning of the connection. This header informs the browser that after the first visit, which HSTS does not cover, it should only use HTTPS to interact with the website.
The Strict Transport Security header also prevents users from ignoring browser warnings about invalid or insecure SSL/TLS certificates.
Below you can find examples of how to enable HSTS on different platforms.
It is important to note that when deploying, HSTS policy should be declared at the base domain (sometimes called the root domain, though there is a difference). For example,
https://crashtest-security.com/ instead of
To cover subdomains, the
includeSubDomains directive should be utilized. But for this to work, all subdomains associated with the base domain must naturally also support HTTPS.
Use the following guides to set the correct header enabling HSTS.
With Let's Encrypt, it is straightforward to enable HSTS. When creating a new certificate, add the
-HSTS flag. If your certificates are already generated by Let's Encrypt, run the same command and select Attempt to reinstall this existing certificate as the first option. This will reuse your certificate and enable HSTS stapling.
certbot run -d [DOMAIN] --staple-ocsp --hsts
On Nginx you need to update your SSL configuration which is usually located in
at/etc/nginx/nginx.conf,/etc/nginx/sited-enabled/yoursite.com (Ubuntu/Debian) or
/etc/nginx/conf.d/nginx.conf (RHEL/CentOS), to include the correct header with the
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
index index.html index.htm;
Apache HTTP Strict Transport Security
On Apache you need to update your SSL configuration to include the correct Header directives. Add this to the virtual host configuration in
Header always set Strict-Transport-Security "max-age=31536000"