Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5739

Disabling Strict-Transport-Security policy is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure disabling Strict-Transport-Security policy is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      JavaScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • OWASP:
      A3

      Description

      When implementing the HTTPS protocol, the website mostly continue to support the HTTP protocol to redirect users to HTTPS when they request a HTTP version of the website. These redirects are not encrypted and are therefore vulnerable to man in the middle attacks. The Strict-Transport-Security policy header (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.

      Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:

      • the max-age directive which specify how long the policy should be kept on the web browser.
      • the includeSubDomains optional directive which specify if the policy should apply on all sub-domains or not.
      • the preload optional directive which is not part of the HSTS specification but supported on all modern web browsers.

      With the preload directive the web browser never connects in HTTP to the website and to use this directive, it is required to submit the concerned application to a preload service maintained by Google.

      Ask Yourself Whether

      • The website is accessible with the unencrypted HTTP protocol.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Implement Strict-Transport-Security policy header, it is recommended to apply this policy to all subdomains (includeSubDomains) and for at least 6 months (max-age=15552000) or even better for 1 year (max-age=31536000).

      See

        Attachments

        1.
        JavaScript RSPEC-5740 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: