Re: Alt-Svc and HSTS


On Mon, Mar 30, 2015 at 11:23 AM, Patrick McManus <>

> so I would agree that hsts and OE wouldn't be expected to be on the same
> host. HSTS is used to get an always-https:// semantic and OE is used when
> you are accessing an http:// url. HSTS is better simply because https://
> is better.
> Normally any http:// access would get redirected manually on a site to
> https:// if the HSTS directive wasn't stored on the client yet (and the
> https response would populate the directive on the client).. future http://
> accesses have their origins automatically redirected inside the client to
> https.. so there really isn't a role for OE there.
> However you might want to use Alt-Svc within https for load balancing or
> shedding purposes.
​Thanks.  Our web site provides http and https endpoints for testing
purpose, so it would be better to remove HSTS from https in this particular

Best regards,
Tatsuhiro Tsujikawa

> -P
> On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <
>> wrote:
>> Hi,
>> I enabled HSTS for a while back.  Few days ago, I
>> enabled Alt-Svc at with h2="". OE
>> works fine with Firefox Nightly and so far so good.
>> Then I got a comment[1] from twitter that "if there is HSTS, all requests
>> should be https to start with, so no Alt-Svc."
>> The comment is understandable when considering the effect of HSTS, but
>> should Alt-Svc really be avoided in this case?  If HSTS is used, we
>> probably should do automatic redirect to https from http, so this scenario
>> is not a real use case.
>> [1]
>> Best regards,
>> Tatsuhiro Tsujikawa

Received on Monday, 30 March 2015 06:54:09 UTC