turbot/net_insights
GitHub
Loading controls...

Control: Site headers must contain Strict-Transport-Security

Description

The HTTP Strict-Transport-Security (HSTS) response header helps to strengthens your TLS implementation by informing the browser that the site should only be accessed using HTTPS, and any further attempts to access the site using HTTP should automatically redirect to HTTPS. These countermeasures help prevent Man-in-the-middle attacks as well as other attacks such as Session Hijacking.

Usage

Run the control in your terminal:

steampipe check net_insights.control.security_headers_strict_transport_security

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.security_headers_strict_transport_security

Plugins & Tables

Params

ArgsNameDefaultDescriptionVariable
$1website_urls
["https://github.com","https://microsoft.com"]
Website URLs.

SQL

with available_headers as (
select
url,
array_agg(header.key)
from
net_http_request,
jsonb_each(response_headers) as header
where
url in (
select
jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
)
group by
url
)
select
url as resource,
case
when array [ 'Strict-Transport-Security' ] < @ array_agg then 'ok'
else 'alarm'
end as status,
case
when array [ 'Strict-Transport-Security' ] < @ array_agg then url || ' contains required headers ''Strict-Transport-Security''.'
else url || ' missing required headers ''Strict-Transport-Security''.'
end as reason
from
available_headers;