Rentgen

HSTS (Strict-Transport-Security) — the header that prevents silent HTTP downgrade

Rentgen API Stories · December 2025

HTTPS is everywhere… until it isn’t. Most APIs “work fine” without HSTS — which is exactly why teams forget it. Rentgen flags it as a warning because nothing crashes, but the security posture quietly gets weaker.

What was tested

A simple response-header check on HTTPS endpoints: does the API return Strict-Transport-Security? If the header is missing, Rentgen marks it as a 🟠 Warning.

HSTS Strict-Transport-Security header check
Rentgen checking for Strict-Transport-Security on HTTPS endpoints

What Rentgen found

  • HSTS header missing on HTTPS responses
  • Result: 🟠 Warning (not a fail — the API still works)
  • Risk: clients may still accept HTTP on first contact or in downgrade scenarios

Why this matters

HSTS tells clients (especially browsers) one thing: “Always use HTTPS for this host. Never downgrade to HTTP.” Without it, HTTPS is negotiated rather than enforced, which leaves a window for downgrade attacks (for example, SSL stripping) when someone is on an untrusted network or behind a misbehaving proxy.

OWASP commonly recommends HSTS as part of transport-layer protections, because it reduces the chance of accidental or forced HTTP usage when HTTPS should be mandatory.

Why it’s a warning, not a bug

Many APIs are consumed server-to-server or by mobile apps — not by browsers. In those cases, clients often already hardcode HTTPS and don’t rely on HSTS behavior, so the real-world risk may be low. That’s why Rentgen doesn’t fail your API for missing HSTS — it makes you decide intentionally.

Who should take this seriously

  • APIs called from web frontends (browser traffic)
  • Systems using cookies for auth (sessions)
  • Platforms sharing a domain across frontend + API + auth flows
  • Public-facing services behind CDNs / gateways / legacy proxies

When it can be ignored

If your API is truly private, strictly server-to-server, never used from browsers, and your clients enforce HTTPS by design, you can treat this as informational. But don’t leave it as an accident — document the decision.

Final thoughts

Missing HSTS won’t break anything. It won’t show up in your test suite. It won’t wake anyone up at night. But it removes a layer that prevents silent HTTP downgrade in the environments where it matters. That’s why Rentgen includes it — to turn “forgotten security” into a deliberate choice.