Missing Strict Transport Security HTTP header

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This publicly exposed API endpoint does not implement the HTTP Strict-Transport-Security (HSTS) header. This header is crucial for security as it instructs browsers to only interact with the application over HTTPS, protecting against protocol downgrade attacks and cookie hijacking. Without this header, users may be vulnerable to man-in-the-middle attacks where an attacker could intercept and modify traffic or steal sensitive information by forcing connections over unencrypted HTTP.

Remediation

Implement the HTTP Strict-Transport-Security (HSTS) header in all API responses with appropriate values:

  • Set a long max-age directive (recommended to at least 31536000 seconds, which is one year).
  • Include the includeSubDomains directive to protect all subdomains.
  • Consider adding the preload directive for maximum protection.

Example header value:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload