HSTS Missing From HTTPS Server (RFC 6797)
**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.
Vulnerability Details
HSTS (HTTP Strict Transport Security) is a security feature that forces web browsers to interact with websites only over HTTPS, preventing downgrade attacks and mitigating risks like SSL-stripping and cookie hijacking.
Severity Rating
Medium
How to Verify if a Device is Vulnerable
Use Nessus plugin ID 142960 to scan the device for this vulnerability.
You can also manually verify the vulnerability by using a tool called “testssl” whick can be found here: https://testssl.sh/ After installing testssl run this command:
testssl.sh –headers yourdomain.com:port_number
If HSTS header is not configured, you will get a response saying so under “Strict Transport Security”

How to Fix
On your website, configure the HSTS header. Add the Strict-Transport-Security header to your web server configuration.
How to do this:
Apache:
1. Edit the Configuration File:
Open your Apache configuration file (httpd.conf or a virtual host file) by running this command:
sudo nano /etc/httpd/conf/httpd.conf
2. Add HSTS Header:
Add the following line within the <VirtualHost> section:
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
3. Restart Apache:
Restart the Apache service to apply changes.
sudo systemctl restart httpd
NGINX:
- Edit the Configuration File:
Open your Nginx configuration file (nginx.conf or a site-specific configuration file).
sudo nano /etc/nginx/nginx.conf
- Add HSTS Header:
Add the following line within the server block:
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
- Restart Nginx:
Restart the Nginx service to apply changes.
sudo systemctl restart nginx
Rollback
Apache
Edit the Configuration File:
Open your Apache configuration file by running the following command:
sudo nano /etc/httpd/conf/httpd.conf
Remove HSTS Header:
Locate and delete the line:
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains
Restart the Apache service:
sudo systemctl restart httpd
Nginx:
Edit the Configuration File:
Open your Nginx configuration file by running this command
sudo nano /etc/nginx/nginx.conf
Remove HSTS Header:
Locate and delete the line:
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
Restart the Nginx service:
sudo systemctl restart nginx
These steps will revert the HSTS settings on your web server.
How to Verify the Fix
- Rescan the device with Nessus plugin ID 85582 and check for the vulnerability.
- testssl.sh –headers yourdomain.com:port_number
Now you should see “Strict Transport Security” is configured correctly.
An example of a properly configured HSTS header:
Links (for additional resources and references)
https://www.tenable.com/plugins/nessus/142960
https://datatracker.ietf.org/doc/html/rfc6797