The Strict-Transport-Security (HSTS) HTTP header instructs web browsers to only connect to a website using HTTPS, preventing unencrypted HTTP connections.

Why is this an issue?

When a website supports HTTPS but does not set the Strict-Transport-Security header, browsers may still connect to it over unencrypted HTTP. HTTP connections are vulnerable to man-in-the-middle attacks, where an attacker can intercept or modify traffic between the user and the server. A short maxAge limits how long browsers remember to enforce the policy, leaving a window during which unencrypted connections are possible after the header expires. Omitting the includeSubDomains directive disables this protection for subdomains even when the main domain is covered.

What is the potential impact?

Without a properly configured Strict-Transport-Security header, browsers may connect to the website over unencrypted HTTP. An attacker in a position to intercept network traffic can read or tamper with requests and responses, potentially stealing session cookies, credentials, or other sensitive data.

How to fix it

Code examples

The following code is noncompliant because the HSTS policy uses a short maxAge and disables subdomain protection via includeSubDomains: false.

Noncompliant code example

const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(helmet.hsts({
  maxAge: 3153600, // Noncompliant: max age is too short
  includeSubDomains: false // Noncompliant
}));

Compliant solution

const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true
}));

Resources

Documentation

• developer.mozilla.org - Strict Transport Security
• npmjs.com - helmet
• npmjs.com - hsts

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure