This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Test HTTP Strict Transport Security (OTG-CONFIG-007)"
m (Andrew Muller moved page Testing for Missing HSTS header to Test HTTP Strict Transport Security (OTG-CONFIG-009): Align with common number and cross-product correlation initiative) |
(Fixed some typos, formatting, slight clean up) |
||
| Line 4: | Line 4: | ||
== Brief Summary == | == Brief Summary == | ||
<br> | <br> | ||
| − | HSTS header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.<br> | + | The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.<br> |
| − | Considering the importance of this security measure is important to verify that the web site using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.<br> | + | Considering the importance of this security measure it is important to verify that the web site is using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.<br> |
<br> | <br> | ||
== Description of the Issue == | == Description of the Issue == | ||
| Line 17: | Line 17: | ||
Strict-Transport-Security: max-age=14400 | Strict-Transport-Security: max-age=14400 | ||
== References == | == References == | ||
| − | https://www.owasp.org/index.php/HTTP_Strict_Transport_Security | + | * OWASP HTTP Strict Transport Security - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security |
| − | + | * OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security - http://www.youtube.com/watch?v=zEV3HOuM_Vw | |
| − | |||
| − | http:// | ||
| − | |||
Revision as of 21:53, 4 September 2013
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Brief Summary
The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.
Considering the importance of this security measure it is important to verify that the web site is using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.
Description of the Issue
...here: Short Description of the Issue: Topic and Explanation
Black Box testing and example
Testing for the presence of HSTS header:
$ curl -s -D- https://paypal.com/ | grep Strict
Result Expected:
Strict-Transport-Security: max-age=14400
References
- OWASP HTTP Strict Transport Security - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security - http://www.youtube.com/watch?v=zEV3HOuM_Vw
