Re: HSTS over HTTP question.

On 3/7/2014 6:28 AM, Ingo Chao wrote:
> I am aware of 6.2.  HTTP Request Type
>    A HSTS Server MUST NOT include the Strict-Transport-Security HTTP
>    Response Header in HTTP responses conveyed over a non-secure
>    transport.
>
> But I don't understand the reasons.

Because we don't trust the connection. Adding HSTS to a site not 
prepared to be fully TLS results in a denial of service for that site 
that the user won't really understand or easily fix.

-Dan Veditz

Received on Friday, 7 March 2014 20:26:47 UTC