-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0205
Nemo edited this page Oct 29, 2019
·
1 revision
"Strict-Transport-Security missing"
Sending a Strict-Transport-Security header ensures that your users are not vulnerable to HTTP downgrade attacks. Since most browsers will default to HTTP when a user types example.com, setting a STS header ensures that the redirect from HTTP->HTTPS is cached by the browser, and any subsequent requests are made only on HTTPS.
See the documentation on MDN for more details.
Configure your web server to send a valid Strict-Transport-Security header. A valid, secure configuration would be:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Here, max-age is set to 2 years, and the STS header will apply to all subdomains.