Skip to content
← Back to Vulnerability Database
HIGHCWE-319Security Headers

Missing HSTS Header

Description

Your app does not include the Strict-Transport-Security header, allowing attackers to downgrade connections from HTTPS to HTTP.

How Vezraa Detects It

We check HTTP response headers for the Strict-Transport-Security header and validate its max-age directive.

Real-World Impact

Users on public WiFi are vulnerable to man-in-the-middle attacks that strip HTTPS, exposing login credentials and session cookies.

Fix Example

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Affected Stacks

All web apps

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Missing HSTS Header — Vulnerability Database | Vezraa