Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Add test for HTTP Strict Transport Security (HSTS) and update the Cacheable HTTPS Response test

George | Last updated: Jul 09, 2015 06:17PM UTC

In the most recent version 1.6.21 - I see that under the Scanner tab you have added the "Issue" Listing - Thank you for that !!! However, I do not see any test for the absence of the HTTP Strict Transport Security (HSTS) Header element in that list. Please consider the addition of a test for that issue in a future release. Also in the test for Cacheable HTTPS Response (0x00700100) - it would be helpful if that test could detect when the developer has chosen to put the Cache Controls as Meta tags in the HTML body instead of header elements.

PortSwigger Agent | Last updated: Jul 20, 2015 12:21PM UTC

Thank you for these suggestions and apologies for the slow reply. Both of these are in our roadmap for the Scanner, and will hopefully be addressed within the coming few months.

Burp User | Last updated: Aug 25, 2015 06:45AM UTC

The "Additional Scanner Checks" BApp adds passive checks for the following headers, and reports issues if they are missing: Strict-Transport-Security X-Content-Type-Options: nosniff X-XSS-Protection

PortSwigger Agent | Last updated: Aug 25, 2015 07:03AM UTC

The current version of Burp reports lack of HSTS. This scan check was added a few versions ago, so you should update to the current version.

Burp User | Last updated: May 26, 2017 01:08PM UTC

Is burp supports HTTP Strict Transport Security (HSTS) in v1.6.18?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.