Recipe Name:
Security Misconfiguration: HSTS - includeSubDomains
Description:
Include subdomains in the HSTS domain
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

Setting includeSubDomains() to true makes sure that subdomains will also be treated as an HSTS domain. This is a default setting in Spring Security.

Cookies can be manipulated from sub-domains, so omitting the includeSubDomains() option permits a broad range of cookie-related attacks that HSTS would otherwise prevent by requiring a valid certificate for a subdomain. Ensuring the secure flag is set on all cookies will also prevent, some, but not all, of the same attacks. By using the default setting, or explicitly setting includeSubDomains() to true, will instruct Spring Security to treat the subdomains as part of the HSTS domain.

Before
http
    .headers()
    .httpStrictTransportSecurity()
    .includeSubdomains(false)
    .maxAgeSeconds(31536000);
After
http
    .headers()
    .httpStrictTransportSecurity()
    .includeSubdomains(true)
    .maxAgeSeconds(31536000);
References
Recipe
id: scw:spring:security:hsts-includeSubDomains
version: 10
metadata:
  name: 'Security Misconfiguration: HSTS - includeSubDomains'
  shortDescription: Include subdomains in the HSTS domain
  level: error
  language: java
  scwCategory: misconfig:generic
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationHSTS-includeSubDomains.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: includeSubDomains
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig
availableFixes:
- name: Set includeSubDomains to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"