VulWall Team February 18, 2026 5 min read

Missing Security Header Leaves Connections Vulnerable to Interception

Your website is missing a small but important instruction it should send to browsers — one that tells them to always use a secure, encrypted connection. Without it, browsers may occasionally connect over an unencrypted channel, and there is no browser-level safeguard to prevent that from happening. Think of it like a lock on your front door: your HTTPS certificate is the lock, but this header is the sign that tells visitors to always use the locked entrance.

OWASP A05 Effort: trivial Exploitable
hsts http-headers ssl-stripping mitm transport-security tls configuration

Business Impact And Actions

high urgency

Business Impact

Without this header, users who type your address without 'https://' or click an old HTTP link may briefly connect over an unencrypted channel before being redirected. This creates a small window where a network attacker — for example, someone on the same public Wi-Fi — could intercept that initial request. For businesses handling logins, payments, or personal data, this is a compliance flag: missing HSTS is a known failure point in PCI-DSS security scans and can be flagged during SOC 2 or ISO 27001 audits.

What To Do

  1. Forward this report to your developer or hosting provider — the fix is a single line added to your web server configuration and typically takes under 30 minutes.
  2. Ask your developer to verify the header is present after the fix using the free tool at securityheaders.com.
  3. If you process card payments, flag this to your compliance team — missing HSTS is a known PCI-DSS scan failure.
  4. Once the header has been live and stable for a few weeks, ask your developer about submitting your domain to the HSTS preload list for an extra layer of protection.

Missing Strict-Transport-Security (HSTS) Header

medium severity CVSS 5.8–6.5

Vulnerability Explanation

The server does not return a Strict-Transport-Security (HSTS) response header on HTTPS responses. HSTS instructs browsers to automatically upgrade all future connections to HTTPS and refuse to connect over plain HTTP for the declared max-age period. Without it, browsers have no persistent memory of the site's HTTPS requirement. A user who navigates to the site via an HTTP link or types the domain without a scheme will send an unencrypted initial request. A network-positioned attacker can intercept this first request and perform an SSL-stripping attack — transparently downgrading the connection to HTTP and proxying traffic without the user's knowledge. Crucially, no browser warning is shown during a successful SSL-strip, making the attack invisible to the victim.

Root Cause

The web server or application framework is not configured to emit the Strict-Transport-Security response header on HTTPS responses. This is a configuration omission, not a code defect. HSTS is an opt-in mechanism (RFC 6797) and must be explicitly enabled by the server operator.

Technical Impact

A network-positioned attacker (e.g., on the same LAN or a rogue Wi-Fi access point) can perform an SSL-stripping man-in-the-middle attack against users whose first request goes over HTTP. This allows interception of session cookies, credentials, and sensitive form data. Additionally, without HSTS, browsers will allow users to click through invalid certificate warnings, weakening the overall TLS security posture.

Severity Justification

Exploitation requires a network-adjacent attacker and user interaction (the victim must initiate an HTTP connection). There is no direct server-side exploit. CVSS scores from authoritative scanners range from 5.8 to 6.5 (CVSS 3.x), reflecting the realistic but conditional nature of the attack. Rated 'high' by the scanner due to the sensitivity of data that could be exposed if exploited.

Affected Components

  • Web server HTTPS response headers — all versions without HSTS configured

Remediation Steps

  1. Add the HSTS header to your HTTPS server block only (never on HTTP responses). Start with a short max-age (e.g., 300 seconds) to test, then increase to 31536000 (1 year) once confirmed working. See code examples below for Nginx, Apache, and Node/Express.
  2. Ensure your site has a valid TLS certificate and that all subdomains you intend to cover with includeSubDomains also have valid certificates — HSTS will block access to any subdomain without a trusted cert.
  3. Deploy and verify the header is present on all HTTPS responses using: curl -sI https://yourdomain.com | grep -i strict-transport
  4. Gradually increase max-age: start at 300 (5 min), then 86400 (1 day), then 2592000 (30 days), then 31536000 (1 year) over successive deployments.
  5. Optionally, submit your domain to the HSTS preload list at https://hstspreload.org once max-age is at least 31536000 and includeSubDomains is set — this protects users even on their very first visit.

Verification Steps

  1. Run: curl -sI https://yourdomain.com | grep -i strict-transport-security — the header should appear with your configured max-age.
  2. Visit https://securityheaders.com and enter your domain — confirm the HSTS row shows green.
  3. Check the browser DevTools Network tab on an HTTPS response and confirm the Strict-Transport-Security header is present.
  4. Test that HTTP requests redirect to HTTPS: curl -sI http://yourdomain.com — you should receive a 301 redirect to the HTTPS URL.

Code Examples (nginx / apache / javascript)

Vulnerable
# No Strict-Transport-Security header present in server response
Fixed
# Nginx — inside the HTTPS server{} block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Apache — inside the HTTPS <VirtualHost *:443> block:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Node.js / Express — using Helmet middleware:
const helmet = require('helmet');
app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true
}));

Best Practices

  • Always set HSTS only on HTTPS responses — browsers ignore the header if received over HTTP, and it cannot be used to bootstrap a secure connection from scratch.
  • Use includeSubDomains only after confirming all subdomains (including staging/dev) have valid TLS certificates — HSTS will block access to any subdomain that fails certificate validation.
  • Ramp up max-age gradually in production to avoid locking users out if you need to roll back to HTTP for any reason.
  • Consider HSTS preloading (hstspreload.org) for maximum protection, but treat it as a one-way, permanent commitment — removal from the preload list can take months to propagate.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base