# HSTS Header Analyzer
Category | Severity | Time To Fix |
---|---|---|
🛡️ Security | Major | 5 minutes |
Class: Enlightn\Enlightn\Analyzers\Security\HSTSHeaderAnalyzer
# Introduction
So many applications today are HTTPS only. Besides the obvious security and trust benefits, HTTPS also boosts your SEO ranking.
For HTTPS only apps, it is recommended to include the HTTP Strict Transport Security (HSTS) header. This header tells browsers that it should only be accessed using HTTPS, instead of using HTTP and helps prevent man-in-the-middle attacks.
This analyzer detects whether your application sets the HSTS header if it is an HTTPS only app.
# How To Fix
You can add the HSTS security header in your web server configuration.
For Nginx, you may use the add_header
directive in your server
or location
block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
For Apache, you may use the Header
directive in your <VirtualHost>
, <Directory>
or <Location>
container:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Configuration Options
By default, this analyzer looks for a named route called login
to inspect the headers in the response. You may change the route the analyzer hits by specifying the guest_url
configuration option in your config/enlightn.php
file:
/*
|--------------------------------------------------------------------------
| Guest URL
|--------------------------------------------------------------------------
|
| Specify any guest url or path (preferably your app's login url) here. This
| would be used by Enlightn to inspect your application HTTP headers.
| Example: '/login'.
|
*/
'guest_url' => '/login',
# Skip Condition
This analyzer is skipped if your app is not HTTPS only (verified by the APP URL or the session.secure
configuration option).