Incorrect message in HSTS 'preload' attribute check

In gb_hsts_preload_missing.nasl that checks for the preload attribute in HSTS headers, the log_message that gets outputed refers the includeSubDomains directive incorrectly as such:

log_message( port:port, data:'The remote HTTPS Server is missing the "includeSubDomains" attribute in the HSTS header.\n\nHSTS Header:\n\n' + banner );

The message should probably be modified to indicate that the preload attribute is missing instead of the includeSubDomains

1 Like

Thanks for your report. This is indeed a typo in that message and should refer to “preload” instead.

The mentioned VT has been updated and the changes will arrive in the feed within the next few days.

1 Like