保護DataHogo
Security Encyclopedia/Headers & Infrastructure
mediumCWE-319A02:2021

Missing HTTP Strict Transport Security (HSTS)

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

How It Works

Even if your server redirects HTTP to HTTPS, the first request is made over HTTP. An attacker on the same network (café Wi-Fi, corporate network) can intercept that first request before the redirect happens. HSTS tells browsers to only ever connect via HTTPS for a specified duration — no first HTTP request ever.

Vulnerable Code
// BAD: redirect exists but HSTS not set
// A user types 'yourapp.com' — browser sends HTTP request
// Attacker on network intercepts before redirect to HTTPS
Secure Code
// GOOD: HSTS in Next.js config
export default {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [{
        key: 'Strict-Transport-Security',
        value: 'max-age=63072000; includeSubDomains; preload'
      }]
    }];
  }
};

Real-World Example

SSL stripping attacks (demonstrated by Moxie Marlinspike in 2009) intercept HTTP-to-HTTPS redirects. Public Wi-Fi hotspots are common vectors. HSTS completely eliminates this attack class after the first visit.

How to Prevent It

  • Set Strict-Transport-Security with max-age of at least 1 year (31536000 seconds)
  • Include includeSubDomains to protect all subdomains
  • Submit to the HSTS preload list at hstspreload.org for maximum protection
  • Ensure your entire domain serves HTTPS before enabling HSTS — misconfiguration can lock users out

Affected Technologies

Next.jsnodejsnginxapache

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Frame-Options Header

medium

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

CWE-1021A05:2021

Missing X-Content-Type-Options Header

low

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

CWE-430A05:2021

Cookies Without Secure Flag

medium

Session cookies set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections and intercepted by attackers on the network.

CWE-614A02:2021