Should "Missing HTTP Strict Transport Security Policy" have a higher severity?

Summary

When HTTP Strict Transport Security headers are not present it is easier to perform classes of attacks on a HTTP host; this includes removing SSL via MitM, SSL downgrades, and weakens cookie hijacking protections. By reporting this as low we give the impression that these attacks are less severe than they are.

Steps to reproduce

1. Set up a server and do not send HTTP Strict Transport Security headers
2. Scan with DAST and validate that the result is shown as low.

What is the current bug behavior?

DAST reports that this issue is low severity.

What is the expected correct behavior?

When these headers are missing there are classes of attacks which are simplified; the priority may not reflect the impact of these headers being missing.

Possible fixes

Update 16.7.yaml to moderate or high.