ZAP – Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Details
Alert ID	10035-8
Alert Type	Passive
Status	release
Risk	Low
CWE	319
WASC	15
Technologies Targeted	All
Tags	CWE-319 OWASP_2017_A06 OWASP_2021_A05
More Info	Scan Rule Help

Summary

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Solution

Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content.

Other Info

References

https://datatracker.ietf.org/doc/html/rfc6797

Code

org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java