Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: Disable Security Features - HSTS

Description:
Enforce HSTS protection against vulnerabilities over HTTP
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

Enforce HSTS protection against vulnerabilities over HTTPS

Disabling httpStrictTransportSecurity() makes the application vulnerable to man-in-the-middle attacks, where an attacker could enforce the use of HTTP, which could allow communication to be intercepted and read. By enabling httpStrictTransportSecurity(), the application will communicate over HTTPS.

Before
http.headers().httpStrictTransportSecurity().disable();
After
http.headers().httpStrictTransportSecurity();
References
Recipe
id: scw:spring:security:hsts-disabled
version: 10
metadata:
  name: 'Security Misconfiguration: Disable Security Features - HSTS'
  shortDescription: Enforce HSTS protection against vulnerabilities over HTTP
  level: error
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisableSecurityFeatures-HSTS.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    name: disable
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig
    "on":
      methodcall:
        name: httpStrictTransportSecurity
        declaration:
          type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
availableFixes:
- name: Enable HSTS
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'