Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
SSL/TLS: HPKP / HSTS / Expect-CT Headers sent via plain HTTP
Information
Severity
Severity
Informational
Family
Family
SSL and TLS
CVSSv2 Base
CVSSv2 Base
0.0
CVSSv2 Vector
CVSSv2 Vector
AV:N/AC:L/Au:N/C:N/I:N/A:N
Solution Type
Solution Type
Workaround
Created
Created
6 years ago
Modified
Modified
5 years ago
Summary
This script checks if the remote HTTP server is sending a HPKP, HSTS and/or Expect-CT header via plain HTTP.
Solution
Solution
Configure the remote host to only send HPKP, HSTS and Expect-CT headers via HTTPS. Sending those headers via plain HTTP doesn't comply with the referenced RFCs.
References
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_S
- https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
- https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hpkp
- https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
- https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#ect
- https://tools.ietf.org/html/rfc6797
- https://tools.ietf.org/html/rfc7469
- https://securityheaders.io/
- http://httpwg.org/http-extensions/expect-ct.html#http-request-type