For the specifics of whether to have the header expected on the root or the resource, it's probably worth hearing from some people who manage large-scale resource hosts to see which one presents fewer configuration problems. -- Eric On Tue, Aug 25, 2015 at 1:52 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 25 August 2015 at 10:06, Richard Barnes <rbarnes@mozilla.com> wrote: > > Serving the HSTS header on the resource itself makes me wonder if there > are > > deployment issues lurking here. The site operator has to send the HSTS > > header on every request, instead of just for the resource the priming > query > > hits. > > > I'm OK with that. As it turns out, there are some HTTP variants that > make repeated header fields close to free, so it's not like it is a > significant cost. There might be some operational challenges, but if > the server container can be configured to insert the header field on > the way out, then that solves that problem neatly. > > -- konklone.com | @konklone <https://twitter.com/konklone>
Received on Tuesday, 25 August 2015 19:18:49 UTC