SEC_HSTS_004 security config_error ai_generated true

HSTS header missing 'includeSubDomains' directive allows cookie theft on subdomains

ID: security/http-strict-transport-security-missing-subdomain

Also available as: JSON · Markdown · 中文
95%Fix Rate
90%Confidence
1Evidence
2023-09-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Apache HTTP Server 2.4 active
Nginx 1.24 active
IIS 10.0 active

Root Cause

The HTTP Strict-Transport-Security (HSTS) header is set without the 'includeSubDomains' directive, so subdomains (e.g., api.example.com) can still be accessed over HTTP, allowing cookie interception.

generic

中文

HTTP 严格传输安全 (HSTS) 标头未设置 'includeSubDomains' 指令,因此子域(例如 api.example.com)仍可通过 HTTP 访问,允许拦截 Cookie。

Official Documentation

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Workarounds

  1. 95% success Add 'includeSubDomains' to the HSTS header. Example in Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; 
    Add 'includeSubDomains' to the HSTS header. Example in Nginx:
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
  2. 90% success Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit. 
    Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.

中文步骤

  1. Add 'includeSubDomains' to the HSTS header. Example in Nginx:
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
  2. Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.

Dead Ends

Common approaches that don't work:

  1. Set a very long max-age (e.g., 1 year) without includeSubDomains 95% fail

    A long max-age without includeSubDomains still leaves subdomains vulnerable; attackers can target subdomains with HTTP.

  2. Use a separate HSTS header on each subdomain 70% fail

    This is redundant and error-prone; a single header on the main domain with includeSubDomains covers all subdomains.