Why you should enable HSTS Header?
HSTS (HTTP Strict Transport Security) plays a key role in web security by enforcing HTTPS connections and protecting against downgrade attacks and cookie hijacking. It's especially important to enable it in your SharePoint 2019 environments to ensure secure communication
Benefits of enabling HSTS Header
1) Forces Secure Connections (HTTPS Only)
This protects users from accidentally accessing the site over an insecure connection.
2) Prevents Protocol Downgrade Attacks
Attackers can try to downgrade a connection from HTTPS to HTTP, and With HSTS enabled, browsers will refuse any non-HTTPS connection even if the user types http://.
3) Mitigates Cookie Hijacking
When traffic is over HTTP, session cookies can be stolen. HSTS ensures all cookies stay encrypted via HTTPS.
Solving: Missing HSTS Header in SharePoint 2019
To resolve the Missing HSTS Header issue in your SharePoint 2019 environment, you can enable HTTP Strict Transport Security (HSTS) using PowerShell as the following
# Get your web application
$wa = Get-SPWebApplication https://yourwebapplicationURL
# Check if HSTS is already enabled
$wa.HttpStrictTransportSecuritySettings
# If it's not enabled, enable it
$wa.HttpStrictTransportSecuritySettings.IsEnabled = $true
# Save the changes
$wa.Update()
Note: Make sure your site is already running over HTTPS before enabling HSTS, or it may block access over HTTP. After running the above commands, HSTS headers should be included in your web application's responses, resolving the security finding.