HSTS enabled on public sites
Demonstrate that all public-facing web applications and sites enforce HTTPS-only communication through properly configured HTTP Strict Transport Security headers with adequate expiry periods.
Description
What this control does
HTTP Strict Transport Security (HSTS) is a security header that instructs browsers to communicate with the web server exclusively over HTTPS, preventing protocol downgrade attacks and cookie hijacking. When enabled, the server sends a Strict-Transport-Security header containing directives such as max-age, includeSubDomains, and preload, which the browser enforces for the specified duration. This control is critical for public-facing websites to ensure encrypted communication cannot be bypassed through man-in-the-middle attacks or user error.
Control objective
What auditing this proves
Demonstrate that all public-facing web applications and sites enforce HTTPS-only communication through properly configured HTTP Strict Transport Security headers with adequate expiry periods.
Associated risks
Risks this control addresses
- Man-in-the-middle attackers intercept initial HTTP requests before redirection to HTTPS, capturing sensitive session tokens or credentials
- Users accessing sites via HTTP links or typing URLs without protocol specification expose data in cleartext transmission
- SSL-stripping attacks downgrade HTTPS connections to HTTP, bypassing encryption without user awareness
- Cookie theft occurs when secure cookies are transmitted over unencrypted HTTP connections initiated by attackers
- Network-level adversaries forge responses to HTTP requests, injecting malicious content before HTTPS upgrade occurs
- Mixed content vulnerabilities allow attackers to exploit HTTP resources loaded within HTTPS pages to compromise the secure context
- Browser trust decisions are subverted when users habitually click through certificate warnings on HTTP connections
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all public-facing domains, subdomains, and web applications accessible from the internet.
- Use browser developer tools or command-line utilities (curl, wget) to send HTTPS requests to each identified domain and capture response headers.
- Verify the presence of the Strict-Transport-Security header in HTTPS responses from production web servers.
- Examine the max-age directive value to confirm it meets organizational policy minimum (typically 31536000 seconds for one year).
- Check whether the includeSubDomains directive is present if the organization uses subdomains under the parent domain.
- Test that the HSTS policy is applied by accessing the site via HTTP and verifying the browser automatically upgrades to HTTPS on subsequent requests.
- Review web server configuration files (Apache, Nginx, IIS, load balancers) to confirm HSTS headers are configured at the infrastructure level, not solely application layer.
- Validate that HSTS preload list submission status if the organization claims preload compliance, by checking hstspreload.org or Chromium source.
Where this control is tested