Recipe Name:
Security Misconfiguration: HSTS - includeSubDomains
Description:
Include subdomains in the HSTS domain
Level:
error
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Documentation
Setting includeSubDomains() to true makes sure that subdomains will also be treated as an HSTS domain. This is a default setting in Spring Security.
Cookies can be manipulated from sub-domains, so omitting the includeSubDomains() option permits a broad range of cookie-related attacks that HSTS would otherwise prevent by requiring a valid certificate for a subdomain. Ensuring the secure flag is set on all cookies will also prevent, some, but not all, of the same attacks.
By using the default setting, or explicitly setting includeSubDomains() to true, will instruct Spring Security to treat the subdomains as part of the HSTS domain.
http
.headers()
.httpStrictTransportSecurity()
.includeSubdomains(false)
.maxAgeSeconds(31536000);
After
http
.headers()
.httpStrictTransportSecurity()
.includeSubdomains(true)
.maxAgeSeconds(31536000);
References
Recipe
id: scw:spring:security:hsts-includeSubDomains
version: 10
metadata:
name: 'Security Misconfiguration: HSTS - includeSubDomains'
shortDescription: Include subdomains in the HSTS domain
level: error
language: java
scwCategory: misconfig:generic
enabled: true
descriptionFile: descriptions/SecurityMisconfigurationHSTS-includeSubDomains.html
tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "false"
name: includeSubDomains
declaration:
type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig
availableFixes:
- name: Set includeSubDomains to true
actions:
- modifyArguments:
rewrite:
1: "true"