SEC_HSTS_004
security
config_error
ai_generated
true
HSTS 标头缺少 'includeSubDomains' 指令,允许在子域上窃取 Cookie
HSTS header missing 'includeSubDomains' directive allows cookie theft on subdomains
ID: security/http-strict-transport-security-missing-subdomain
95%修复率
90%置信度
1证据数
2023-09-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Apache HTTP Server 2.4 | active | — | — | — |
| Nginx 1.24 | active | — | — | — |
| IIS 10.0 | active | — | — | — |
根因分析
HTTP 严格传输安全 (HSTS) 标头未设置 'includeSubDomains' 指令,因此子域(例如 api.example.com)仍可通过 HTTP 访问,允许拦截 Cookie。
English
The HTTP Strict-Transport-Security (HSTS) header is set without the 'includeSubDomains' directive, so subdomains (e.g., api.example.com) can still be accessed over HTTP, allowing cookie interception.
官方文档
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security解决方案
-
Add 'includeSubDomains' to the HSTS header. Example in Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
-
Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.
无效尝试
常见但无效的做法:
-
Set a very long max-age (e.g., 1 year) without includeSubDomains
95% 失败
A long max-age without includeSubDomains still leaves subdomains vulnerable; attackers can target subdomains with HTTP.
-
Use a separate HSTS header on each subdomain
70% 失败
This is redundant and error-prone; a single header on the main domain with includeSubDomains covers all subdomains.