Loading controls...
Control: Site headers must contain Strict-Transport-Security
Description
The HTTP Strict-Transport-Security (HSTS) response header helps to strengthens your TLS implementation by informing the browser that the site should only be accessed using HTTPS, and any further attempts to access the site using HTTP should automatically redirect to HTTPS. These countermeasures help prevent Man-in-the-middle attacks as well as other attacks such as Session Hijacking.
Usage
Run the control in your terminal:
steampipe check net_insights.control.security_headers_strict_transport_securitySnapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share net_insights.control.security_headers_strict_transport_securityPlugins & Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | website_urls | | Website URLs. |
SQL
with available_headers as ( select url, array_agg(header.key) from net_http_request, jsonb_each(response_headers) as header where url in ( select jsonb_array_elements_text(to_jsonb($1 :: text [ ])) ) group by url)select url as resource, case when array [ 'Strict-Transport-Security' ] < @ array_agg then 'ok' else 'alarm' end as status, case when array [ 'Strict-Transport-Security' ] < @ array_agg then url || ' contains required headers ''Strict-Transport-Security''.' else url || ' missing required headers ''Strict-Transport-Security''.' end as reasonfrom available_headers;