W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

[upgrade-insecure-requests] Strict-Transport-Security only for HTML document or any type files?

From: Binyamin <7raivis@inbox.lv>
Date: Mon, 15 Jun 2015 22:42:48 +0300
Message-ID: <CABj=UkK49SOD=2WxkAKvds9vi2pEQt7HomJESSbyLkw=WY5qNA@mail.gmail.com>
To: public-webappsec@w3.org
בע"ה


If all content expected to come from HTTPS, is
still Strict-Transport-Security header expected to been set on any file
type or only for HTML document?

Less headers would mean less bits, less bandwidth and better performance.

Apache config for Strict-Transport-Security only HTML document:

    Header set Strict-Transport-Security "max-age=15552000;
includeSubDomains; preload"
    <FilesMatch
\.(appcache|crx|css|eot|gif|ico|jpe?g|js|mp4|oga|ogg|ogv|otf|pdf|png|svg|ttf|txt|vcard|vcf|nex|webapp|webm|webmanifest|webp|woff|woff2|xml|xsl)$>
        Header unset Strict-Transport-Security env=SSL
    </FilesMatch>


Binyamin
Received on Monday, 15 June 2015 19:43:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC