During a web application assessment, you intercept unencrypted HTTP traffic on the same host as an HTTPS site and obtain session cookies that lack the Secure flag. The developers cannot redeploy code immediately but can modify web-server configuration. Which HTTP response header should you recommend adding to most effectively prevent this attack vector in modern browsers?
The captured cookies were exposed because browsers were willing to communicate with the site over plain HTTP. Enabling the Strict-Transport-Security (HSTS) header instructs compliant browsers to refuse all future connections to the domain over HTTP and automatically convert them to HTTPS. This eliminates the opportunity for an attacker to downgrade a victim's connection or sniff cookies in cleartext. The other headers improve security in different areas-X-Content-Type-Options blocks MIME-type sniffing, Cache-Control controls client and proxy caching, and a basic Content-Security-Policy sandbox directive limits certain script capabilities-but none of them force transport encryption, so they would not stop session hijacking performed through unsecured HTTP.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Strict-Transport-Security (HSTS) header?
Open an interactive chat with Bash
How does the lack of the Secure flag in cookies put them at risk?
Open an interactive chat with Bash
What role does HTTPS play in preventing session hijacking?
Open an interactive chat with Bash
What is the role of the Strict-Transport-Security (HSTS) header?
Open an interactive chat with Bash
How does enabling HSTS differ from other security headers like X-Content-Type-Options?
Open an interactive chat with Bash
What does the Secure flag on cookies do, and how does it relate to HSTS?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .