Burp Scanner Report
Summary
The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low, Information or False Positive. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.| Confidence | |||||
| Certain | Firm | Tentative | Total | ||
| Severity | High | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 | |
| Low | 1 | 0 | 0 | 1 | |
| Information | 0 | 0 | 0 | 0 | |
| False Positive | 0 | 0 | 0 | 0 | |
The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.
| Number of issues | ||||||||||
| 0 | 1 | 2 | 3 | 4 | ||||||
| Severity | High |
|
||||||||
| Medium |
|
|||||||||
| Low |
|
|||||||||
| Information |
|
|||||||||
| False Positive |
|
|||||||||
Contents
1. Strict transport security not enforced
1. Strict transport security not enforced
Summary
| Severity: | Low | |
| Confidence: | Certain | |
| Host: | https://human.de | |
| Path: | / |
Issue description
The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.
To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.
Issue remediation
The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.
Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.
References
Vulnerability classifications
Request
Host: human.de
Cache-Control: max-age=0
Sec-CH-UA: "Chromium";v="139", "Not;A=Brand";v="24", "Google Chrome";v="139"
Sec-CH-UA-Mobile: ?0
Sec-CH-UA-Platform: "Windows"
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Response
Date: Mon, 01 Sep 2025 10:38:33 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 17
Location: https://www.human.de/
Cf-Cache-Status: DYNAMIC
Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Expect-Ct: max-age=86400, enforce
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Server-Timing: cfCacheStatus;desc="DYNAMIC"
Server-Timing: cfEdge;dur=15,cfOrigin;dur=22
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=ffom8cPuG1hgeUAkpUi%2BPU%2BmFggOT82iTi%2B8545esybLaRkqUNQU6KDWHTr5a2EXtt8Z45vpWZL2BqQiLfBGJSr74RSYvWg%3D"}]}
Server: cloudflare
Cf-Ray: 97842384bf611999-FRA
Alt-Svc: h3=":443"; ma=86400
Moved Permanently
Report generated by Burp Suite web vulnerability scanner v2025.7.4, at Wed Sep 03 10:38:05 CEST 2025.