Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)
- Risk:
Low
- Type:
- Passive
- CWE:
- CWE-319
- Summary
HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).
- Solution
Ensure that only one component in your stack: code, web server, application server, load balancer, etc. is configured to set or add a HTTP Strict-Transport-Security (HSTS) header.
F5 Breach Exposes BIG-IP Source Code — Nation-State Hackers Behind Massive Intrusion
Microsoft: Sept Windows Server updates cause Active Directory issues
Clothing giant MANGO discloses data breach exposing customer info
Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks
Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped
Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control
Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access
New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login
Malicious crypto-stealing VSCode extensions resurface on OpenVSX
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
Free online web security scanner