Details
Alert ID 10035-2
Alert Type Passive
Status release
Risk Low
CWE 319
WASC 15
Technologies Targeted All
Tags CWE-319
OWASP_2017_A06
OWASP_2021_A05
POLICY_PENTEST
POLICY_QA_STD
SYSTEMIC
More Info Scan Rule Help

Summary

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Solution

Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with an appropriate max-age value.

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java