Burp Suite User Forum

Login to post

Alert on HSTS not enforced for HTTP Options Request

Gary | Last updated: Mar 23, 2020 08:52AM UTC

Hi there, Burp Suite Professional reports a lot of low severity alerts on HSTS not enforced for HTTP Options Request. Is it reasonable to enforce HSTS even on HTTP Options Request? Thks, Gary

Hannah, PortSwigger Agent | Last updated: Mar 24, 2020 01:43PM UTC

Hi Gary Yes, it is reasonable to enforce HSTS on OPTIONS requests and in the right circumstances, if you don't have it configured, it could be exploitable.

Gary | Last updated: Mar 25, 2020 05:40PM UTC

Hi Hannah, Could you kindly explain more on how could this be exploitable? Even the response messages of OPTIONS requests are tempered, hackers can not use them for further attacks if other types of HTTP requests are enforced by HSTS, right?

Hannah, PortSwigger Agent | Last updated: Mar 26, 2020 09:33AM UTC

The probability is low, but if a browser hasn’t recently accessed other resources on the website, then the site may not be in its HSTS cache. As such, we recommend applying HSTS headers to every response. This will help ensure the site stays in the browser’s HSTS cache indefinitely.

You need to Log in to post a reply. Or register here, for free.