Checkmarx: Missing HSTS Header in React Application

Question

I have performed Checkmarx scan on React application. It is showing following scan result:

Missing HSTS Header :
The web-application does not define an HSTS header, leaving it vulnerable to attack.

Error is showing for following highlighted code:

const client = async (endpoint, customConfig, isStaticContent) => {
     return fetch(fullUrl, config).then((response) => {
          if (typeof response?.setHeader === 'function') {
            response?.setHeader(
                'Strict-Transport-Security',
                'max-age=63072000', //error showing for this line
                'includeSubDomains'
            )
          }
     })
}

I have checked in response header on chrome dev tools.
Application has following header:

strict-transport-security: max-age=31536000 ; includeSubDomains

How to resolve this checkmarx issue ?

score 1 · Answer 1 · answered Apr 15 '23 at 22:06

1

According to this answer, all of your HSTS values must be on the same line for Checkmarx to pass. For example:

response?.setHeader(
                'Strict-Transport-Security',
                'max-age=63072000; includeSubDomains'
)

answered Apr 15 '23 at 22:06

jkhines

1,049
9
5

Checkmarx: Missing HSTS Header in React Application

1 Answers1