rbsec / sslscan

sslscan tests SSL/TLS enabled services to discover supported cipher suites
GNU General Public License v3.0
2.25k stars 382 forks source link

Not detecting "Strict HSTS" compliance for serverless Azure functions #170

Closed sandeepnmenon closed 5 years ago

sandeepnmenon commented 5 years ago

While checking for strict (Strict Transport Security ) HSTS compliance, the scanner is rejecting the serverless azure function that I have deployed. According to the scanner: “The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.” And it provides an example

image

Also, in the implementation documentation, it says to add the above header to configure Strict Transport Security (HSTS) Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");

Hence I added the above marked header to my azure function (also included the parameter for subdomains). I get the following headers for the endpoint, hsts

The strict HSTS compliance is failing eventhough the security header is present for the function

rbsec commented 5 years ago

I think you're mixing up sslscan with another tool (ssllabs?). sslscan does not do any kind of check for HTTP headers like HSTS.