Burp Suite User Forum

Login to post

[Minor False Positive] Strict transport security not enforced when HTTP 30x encountered

Dirk | Last updated: Jun 08, 2021 09:48AM UTC

Hi, I have several instances on the dashboard which claim to have a HSTS problem but burpsuite obviously connected to the instance before. Example of a full response header: HTTP/2 304 Not Modified Date: Tue, 08 Jun 2021 07:17:09 GMT Server: Apache Etag: "097914b232bd37a30b988c5e7c90ae93b" Expires: -1 Cache-Control: must-revalidate, private Using 'copy as curl command' and curling the response shows the HSTS header correctly, along with a HTTP 200. It's not something one needs to worry about very much but I guess this should be easy to avoid. Cheers, Dirk

Uthman, PortSwigger Agent | Last updated: Jun 08, 2021 12:47PM UTC

Hi Dirk, Can you please send an email to support@portswigger.net with the information below? - Diagnostics (Help > Diagnostics) - Screenshots - Steps to replicate. Can you replicate this on any site?

You need to Log in to post a reply. Or register here, for free.