HSTS (HTTP Strict Transport Security) and PCI DSS approved scans

Definition:

HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps websites enforce secure connections by requiring browsers to only interact with them over HTTPS, preventing insecure HTTP connections.

Explanation:

HSTS protects users from certain types of attacks, such as man-in-the-middle (MITM) attacks and SSL stripping, which attempt to downgrade HTTPS connections to unencrypted HTTP. Once a website enables HSTS, the browser automatically upgrades all future requests to HTTPS, even if the user mistakenly types "http://" instead of "https://".

HSTS and PCI DSS Compliance:

The Program Guide (version 4.0) for PCI DSS ASVs uses CVSS (Common Vulnerability Scoring System) to rank vulmabilities found by approved scans. According the guide, "any vulnerability with a CVSS base score of 4.0 or higher will result in a non-compliant scan report, and all such vulnerabilities must be remediated by the scan customer." (section 6.2.1, Vulnerability Categorization).

Missing HSTS vulnerability has base score of 6.5 (CVSS 3) or 6.3 (CVSS V4), hence it causes the scan to fail.

Checking HSTS by yourself

If your system scan alerted that your host does not support HSTS, you can check it yourself using the nmap command:

nmap -p 443 -script http-security-headers <URL / IP address 00.00.00.00>

Good example:

>nmap -p 443 -script http-security-headers amazon.com

Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 22:51 W. Europe Daylight Time

Nmap scan report for amazon.com (205.251.242.103)

Host is up (0.11s latency).

Other addresses for amazon.com (not scanned): 52.94.236.248 54.239.28.85

rDNS record for 205.251.242.103: s3-console-us-standard.console.aws.amazon.com

PORT STATE SERVICE

443/tcp open https

| http-security-headers:

| Strict_Transport_Security:

|_ Header: Strict-Transport-Security: max-age=47474747; includeSubDomains; preload

Nmap done: 1 IP address (1 host up) scanned in 6.12 seconds

Bad example:

>nmap -p 443 -script http-security-headers <Domain>

Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 22:51 W. Europe Daylight Time

Nmap scan report for <Domain> (IP address)

Host is up (0.021s latency).

Other addresses for <Domain> (not scanned): ...

PORT STATE SERVICE

443/tcp open https

| http-security-headers:

| Strict_Transport_Security:

|_ HSTS not configured in HTTPS Server

Nmap done: 1 IP address (1 host up) scanned in 19.85 seconds

How to Solve HSTS Issues for PCI DSS Compliance:

1. Enable HSTS on the Web Server:

   • Note that HSTS should be set for your top-level domain (mydomain.com), and not on a subdomain (like www.mydomain.com). Make sure to include the includeSubDomains directive.

2. Ensure TLS/SSL is Properly Configured:

   • Use strong TLS 1.2 or higher encryption.

   • Disable weak encryption protocols like SSL 3.0 and TLS 1.0.

3. Preload HSTS (Optional but Recommended):

   • Websites can submit their domain to Chrome’s HSTS preload list, ensuring that browsers enforce HTTPS before even making the first request.

4. Regularly Test Compliance:

   • Verify proper HSTS implementation.

Exceptions:

There are cases where there is a good reason why the scanner does not see HSTS. In these cases, it is not necessary to fix the scanned host but rather let us know what is the case/reason for not complying with HSTS, and we will file it as an exception.

Examples for such exceptions:

1. Host is an API server only so that clients have no access via web browsers.

2. The host was specified by an IP address and not a domain name (FQDN).

   The best practice is to use a FQDN for scans, and not an IP address. In many cases, load balancers, WAF or other infrastructure elements will not serve IP address and will return an error page (eg. 404) with minimal headers, specifically without HSTS.

   Also, when using hosts serving virtual site, where multiple domains share the same IP address, the system will not know to which server the request need to be redirected, and you may end up not testing your site. Therefore, HSTS may work with the domain name but not with IP address.

For more information on how to implement a scan for PCI DSS, and how to handle vulnerabilities such as lack of HSTS, contact us or check here for more details.