The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Security Assessment

Security Assessment Increase TLS Key Size

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.

Guides

Use the following guides to set the correct header enabling HSTS.

Let’s Encrypt

With Let’s Encrypt it is very easy to enable HSTS. When creating a new certificate just ad the –HSTS flag. If your certificates are already generated by Let’s Encrypt, just run the same command and choose “Attempt to reinstall this existing certificate” as the first option. This will reuse your certificate and just enable HSTS stapling.

certbot run -d [DOMAIN] --staple-ocsp --hsts

Apache

On Apache you need to update your SSL configuration to include the correct Header directives. Add this to the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

<IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    <VirtualHost *:443>
            Header always set Strict-Transport-Security "max-age=31536000"
 
            ServerAdmin webmaster@localhost
            ServerName example.com
            DocumentRoot /var/www
 
            SSLEngine on
 
            SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
            SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key
 
            SSLCACertificateFile /etc/ssl/ca-certs.pem
            SSLUseStapling on
    </VirtualHost>
</IfModule>

nginx

On Nginx you need to update your SSL configuration which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS) to include the correct header with the add_header directives:

server {
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
 
        listen   443;
        server_name example.org;
 
        root /usr/share/nginx/www;
        index index.html index.htm;
 
        ssl on;
        ssl_certificate /etc/nginx/ssl/example.org/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.org/server.key;
 
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}

Scan for free now