Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)
- Risk:
Low
- Type:
- Passive
- CWE:
- CWE-319
- Summary
A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).
- Solution
Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with an appropriate format.
SonicWall VPN accounts breached using stolen creds in widespread attacks
Oracle releases emergency patch for new E-Business Suite flaw
Microsoft: Windows 11 Media Creation Tool broken on Windows 10 PCs
Why Unmonitored JavaScript Is Your Biggest Holiday Security Risk
Harvard investigating breach linked to Oracle zero-day exploit
Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors
Microsoft Locks Down IE Mode After Hackers Turned Legacy Feature Into Backdoor
Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns
New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims' PCs
CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
Free online web security scanner