ZAP – Strict-Transport-Security Header on Plain HTTP Response

Details
Alert ID	10035-4
Alert Type	Passive
Status	release
Risk	Informational
CWE	319
WASC	15
Technologies Targeted	All
Tags	CWE-319 OWASP_2017_A06 OWASP_2021_A05
More Info	Scan Rule Help

Summary

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Solution

Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security for HTTPS responses.

Other Info

References

https://datatracker.ietf.org/doc/html/rfc6797#section-8.1

Code

org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java