Missing Strict Transport Security HTTP header

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This publicly exposed API endpoint does not implement the HTTP Strict-Transport-Security (HSTS) header. This header is crucial for security as it instructs browsers to only interact with the application over HTTPS, protecting against protocol downgrade attacks and cookie hijacking. Without this header, users may be vulnerable to man-in-the-middle attacks where an attacker could intercept and modify traffic or steal sensitive information by forcing connections over unencrypted HTTP.

Remediation

Implement the HTTP Strict-Transport-Security (HSTS) header in all API responses with appropriate values:

  • Set a long max-age directive (recommended to at least 31536000 seconds, which is one year).
  • Include the includeSubDomains directive to protect all subdomains.
  • Consider adding the preload directive for maximum protection.

Example header value:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload