Advance DrHeader to evalute HSTS max-age

Santandersecurityresearch / DrHeader

drHEADer helps with the audit of security headers received in response to a single request or a list of requests.

MIT License

105 stars 26 forks source link

Advance DrHeader to evalute HSTS max-age #250

Open manuel-sommer opened 2 years ago

manuel-sommer commented 2 years ago

drHEADer version: 1.7.0

DrHEADer supports to evaluate HSTS (Strict-Transport-Security). For this header, the value "max-age" is needed. As soon as the max-age is not exactly equal to the value from the yaml file, DrHEADer triggers a finding.

Please implement an evaluation, if the set of the evaluated target for max-age is higher or equal to the set value of the DrHEADer yaml file. This would reduce the number of findings of DrHEADer and makes the evaluation of HSTS more reliable.

emilejq commented 1 year ago

I'm not sure I see the value in this. 1 year is a well established benchmark that's pretty ubiquitous, and it's unlikely that anyone would want to set a max-age that equates to 1 year + an arbitrary number of seconds.

I'd support increasing the expected value in the default rules to 63072000 (2 years), which is the recommendation from Google when using the preload list https://hstspreload.org/#deployment-recommendations

manuel-sommer commented 1 year ago

I changed the PR in a way to be able to use greaterequal-age