Check of HSTS protection
|Check||HSTS protection error|
|Beschreibung||HTTP Strict Transport Security (HSTS) ensures that the website can only be accessed via a secure HTTPS connection for a specified time period. The website operator can define the length of the time period, and whether this rule should also apply to subdomains.|
|Hintergrund||HTTP Strict Transport Security (HSTS) protection is inactive, the communication between your website and its visitors can be intercepted and manipulated.|
|Auswirkung||Currently, your website is not protected against using an outdated SSL/TLS standard (protocol downgrade attacks) and against cookie hijacking. This allows an attacker to intercept and manipulate your user's communication. Using this information, an attacker could launch further attacks or spam your users with unwanted advertisements and malicious code. HTTP Strict Transport Security (HSTS) is an excellent feature to strengthen your site and its implementation of TLS by forcing the user agent to use HTTPS.|
|Lösung / Tipps||If the connection to your page is not encrypted, all communication between your site and its users can be intercepted and manipulated.
max-age=63072000; includeSubdomains; HTTP Strict Transport Security (HSTS) is a web security policy mechanism that is easy to integrate.
# Activate HTTP Strict Transport Security (HSTS) # Required: "max-age"# Optional: "includeSubDomains"
Header set Strict-Transport-Security "max-age=31556926; includeSubDomains"
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)