Missing or Weak HSTS Header

Gixy Check ID: hsts_header

Overview

The hsts_header plugin detects missing or weak HSTS configuration in HTTPS servers.

HSTS (HTTP Strict Transport Security) is delivered via the Strict-Transport-Security response header and helps protect users against: - protocol downgrade attacks - cookie hijacking

What it detects

1. Missing HSTS header

Detects HTTPS servers missing:

add_header Strict-Transport-Security "...";

2. Weak HSTS max-age

Detects HSTS with max-age less than 6 months (15768000 seconds).

Examples

❌ Bad: Missing HSTS

http {
    server {
        listen 443 ssl;
        # Missing: add_header Strict-Transport-Security
    }
}

✅ Good: HSTS with 1 year max-age

http {
    server {
        listen 443 ssl;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }
}

Notes

• Servers configured with ssl_reject_handshake on; are skipped, because they never emit HTTP response headers.