ZAP – Strict-Transport-Security Defined via META (Non-compliant with Spec)

Details
Alert ID	10035-6
Alert Type	Passive
Status	release
Risk	Low
CWE	319
WASC	15
Technologies Targeted	All
Tags	CWE-319 OWASP_2017_A06 OWASP_2021_A05 POLICY_PENTEST POLICY_QA_STD SYSTEMIC
More Info	Scan Rule Help

Summary

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Solution

Do not attempt to set HTTP Strict Transport Security (HSTS) via a META tag.

Other Info

References

https://datatracker.ietf.org/doc/html/rfc6797#section-8.5

Code

org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java