file-missing-nginx-hsts: Missing Nginx HSTS

日期: 2025-08-01 | 影响软件: Nginx | POC: 已公开

漏洞描述

Ensures that HSTS (Strict-Transport-Security) is enabled in Nginx.

PoC代码[已公开]

id: file-missing-nginx-hsts

info:
  name: Missing Nginx HSTS
  author: pussycat0x
  severity: high
  description: |
    Ensures that HSTS (Strict-Transport-Security) is enabled in Nginx.
  remediation: |
    Add 'add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";' in /etc/nginx/nginx.conf under the server block.
  reference:
    - https://wiki.devsecopsguides.com/docs/checklists/nginx/
    - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
  metadata:
    verified: true
  tags: file,audit,nginx,hardening

file:
  - extensions:
      - conf

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "http"
          - "events"
        condition: and

      - type: word
        words:
          - 'add_header Strict-Transport-Security '
        negative: true
# digest: 490a00463044022068d501fe41912d1e66beaffb5bf0a26772b8a5739d8f8ebe02c4e9f8f78011e902206171c0708c46e26b21e227e2d385d63366cb7f2bba81b7f59217a02903b48428:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./file/audit/nginx/file-nginx-hsts-missing.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐