Proper HTST (HTTP Strict-Transport-Security) response headers configuration on delivered scripts

Ensure secure connection over time and avoid man-in-the-middle attacks by hijacking elfsight scripts. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html


Currently, the scripts support strict-transport-security headers with a set max-age=0. Using it with this configuration is seen as NOT secure (comparable with not having the header at all) and can be categorized as abuse to track users via HSTS(since it would not be needed to have the header at all when having max-age=0 this thought is pretty straight forward).

  • Guest
  • Jun 10 2021
  • Attach files