For the specifics of whether to have the header expected on the root or the
resource, it's probably worth hearing from some people who manage
large-scale resource hosts to see which one presents fewer configuration
problems.
-- Eric
On Tue, Aug 25, 2015 at 1:52 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:
> On 25 August 2015 at 10:06, Richard Barnes <rbarnes@mozilla.com> wrote:
> > Serving the HSTS header on the resource itself makes me wonder if there
> are
> > deployment issues lurking here. The site operator has to send the HSTS
> > header on every request, instead of just for the resource the priming
> query
> > hits.
>
>
> I'm OK with that. As it turns out, there are some HTTP variants that
> make repeated header fields close to free, so it's not like it is a
> significant cost. There might be some operational challenges, but if
> the server container can be configured to insert the header field on
> the way out, then that solves that problem neatly.
>
>
--
konklone.com | @konklone <https://twitter.com/konklone>