ANSSI Reco-TLS R3
Configuration HSTS sur HTTPS uniquement
UnveilScan findings mapped to this control
The scanner emits 1 distinct finding on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
web.hsts_on_http_response
⏱ 15 min
WEB — Hsts on http response
Risk if ignored: HSTS posted on cleartext HTTP responses is ignored by spec-compliant browsers (RFC 6797 §7.2). Its presence signals the operator believes they have HSTS protection on the HTTP-to-HTTPS hop, when in fact they only have it post-redirect — and an on-path attacker can strip/inject the header on cleartext at will.
security operational