HIGHCWE-319Security Headers
Missing HSTS Header
Description
Your app does not include the Strict-Transport-Security header, allowing attackers to downgrade connections from HTTPS to HTTP.
How Vezraa Detects It
We check HTTP response headers for the Strict-Transport-Security header and validate its max-age directive.
Real-World Impact
Users on public WiFi are vulnerable to man-in-the-middle attacks that strip HTTPS, exposing login credentials and session cookies.
Fix Example
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Affected Stacks
All web apps