HSTS & Secure Flags: PCI DSS Compliance

TL;DR

No, HSTS (HTTP Strict Transport Security) cannot fully replace the need for the Secure flag on cookies in a PCI DSS environment. While HSTS forces browsers to use HTTPS, it doesn’t address existing vulnerabilities related to cookie transmission over insecure connections if the Secure flag isn’t set.

Understanding the Issue

PCI DSS (Payment Card Industry Data Security Standard) requires that sensitive data is transmitted securely. This means using HTTPS and ensuring cookies containing sensitive information are protected from interception. The Secure flag on a cookie tells the browser to only send that cookie over an HTTPS connection.

Why HSTS Isn’t Enough

1. Browser Support: Not all browsers support HSTS, especially older versions. Relying solely on HSTS leaves users with unsupported browsers vulnerable.
2. Initial Connection: The first connection to a website isn’t covered by HSTS until the policy is learned (through headers). During this initial connection, cookies could be transmitted insecurely if the Secure flag isn’t present.
3. Subdomains: HSTS policies might not automatically apply to all subdomains unless specifically configured.
4. Non-Browser Clients: HSTS only affects web browsers. Other clients (like APIs or command-line tools) won’t be affected and could still transmit cookies insecurely.

Steps for PCI DSS Compliance

1. Implement HTTPS: Ensure your entire website uses HTTPS with a valid SSL/TLS certificate.
2. Set the Secure Flag on Cookies: This is critical. Configure your web server or application code to set the Secure flag on all cookies containing sensitive data (session IDs, authentication tokens, etc.). Here’s an example in PHP:

   setcookie("sessionId", "your_session_id", ["secure" => true]);

3. Implement HSTS: Add the following header to your web server configuration. Start with a smaller max-age and increase it over time.

   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

4. Preload HSTS: Consider submitting your domain to the HSTS preload list (https://hstspreload.org/) for wider browser support, but only after thoroughly testing and ensuring correct configuration.
5. Regular Scanning & Testing: Perform regular vulnerability scans and penetration tests to identify any weaknesses in your security posture.
   • Use tools like OWASP ZAP or Burp Suite to check for insecure cookie transmission.
   • Verify that the Secure flag is correctly set on all sensitive cookies.

Auditor Perspective

A PCI DSS auditor will expect to see both HTTPS implemented and the Secure flag properly configured on all relevant cookies. HSTS will be viewed as a positive security measure, but it won’t be accepted as a substitute for setting the Secure flag.