< Alle Emner
Print

HSTS Missing From HTTPS Server (RFC 6797)

**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.

Vulnerability Details 

HSTS (HTTP Strict Transport Security) is a security feature that forces web browsers to interact with websites only over HTTPS, preventing downgrade attacks and mitigating risks like SSL-stripping and cookie hijacking.

Severity Rating

Medium

How to Verify if a Device is Vulnerable

Use Nessus plugin ID 142960 to scan the device for this vulnerability.

You can also manually verify the vulnerability by using a tool called “testssl” whick can be found here: https://testssl.sh/ After installing testssl run this command:

testssl.sh –headers yourdomain.com:port_number

If HSTS header is not configured, you will get a response saying so under “Strict Transport Security”

How to Fix

On your website, configure the HSTS header. Add the Strict-Transport-Security header to your web server configuration.

How to do this:

Apache:
1. Edit the Configuration File:

Open your Apache configuration file (httpd.conf or a virtual host file) by running this command:

sudo nano /etc/httpd/conf/httpd.conf

2. Add HSTS Header:

Add the following line within the <VirtualHost> section:

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

3. Restart Apache:

Restart the Apache service to apply changes.


sudo systemctl restart httpd

NGINX:

  1. Edit the Configuration File:

Open your Nginx configuration file (nginx.conf or a site-specific configuration file).

sudo nano /etc/nginx/nginx.conf

  • Add HSTS Header:

Add the following line within the server block:

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;

  • Restart Nginx:

Restart the Nginx service to apply changes.

sudo systemctl restart nginx

Rollback

Apache

Edit the Configuration File:

Open your Apache configuration file by running the following command:

sudo nano /etc/httpd/conf/httpd.conf

Remove HSTS Header:

Locate and delete the line:

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains

Restart the Apache service:

sudo systemctl restart httpd

Nginx:

Edit the Configuration File:

Open your Nginx configuration file by running this command


sudo nano /etc/nginx/nginx.conf

Remove HSTS Header:

Locate and delete the line:

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;

Restart the Nginx service:

sudo systemctl restart nginx

These steps will revert the HSTS settings on your web server.

How to Verify the Fix

  • Rescan the device with Nessus plugin ID 85582 and check for the vulnerability.
  • testssl.sh –headers yourdomain.com:port_number

    Now you should see “Strict Transport Security” is configured correctly.
    An example of a properly configured HSTS header:


Links (for additional resources and references)

https://www.tenable.com/plugins/nessus/142960
https://datatracker.ietf.org/doc/html/rfc6797

Tags:
Indholdsfortegnelse