logo

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

  • Risk:
  • Low

  • Type:
  • Passive
Summary

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Solution

Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with an appropriate format.

References

https://datatracker.ietf.org/doc/html/rfc6797#section-6.1

Free security scan for your website