Server advertises HTTP Strict-Transport-Security
Authored by Stanley Hong · AgentReserve (founder).
The HTTPS endpoint returns a `Strict-Transport-Security` header with a non-trivial `max-age`. HSTS prevents trivial downgrade attacks by instructing user agents to refuse plain HTTP for the host going forward.
When this rule runs
Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.
Why it matters
Without HSTS, a network attacker can intercept the first HTTP request to the server and downgrade or redirect it before the client knows TLS is available. The header is observable on any response — including a 401 — so missing HSTS is observable even on auth-walled servers.
Pass condition
Response carries `Strict-Transport-Security` with `max-age` ≥ 86400 (24h).
Fail condition
No `Strict-Transport-Security` header, or `max-age` is 0 or missing.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"present": false}{"present": true, "maxAgeSeconds": 0}
Remediation
Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` (and consider `; preload` after submitting to the HSTS preload list) to all HTTPS responses.
Methodology
This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.