[upgrade-insecure-requests] Strict-Transport-Security only for HTML document or any type files? from Binyamin on 2015-06-15 (public-webappsec@w3.org from June 2015)

From: Binyamin <7raivis@inbox.lv>
Date: Mon, 15 Jun 2015 22:42:48 +0300
To: public-webappsec@w3.org
Message-ID: <CABj=UkK49SOD=2WxkAKvds9vi2pEQt7HomJESSbyLkw=WY5qNA@mail.gmail.com>

בע"ה


If all content expected to come from HTTPS, is
still Strict-Transport-Security header expected to been set on any file
type or only for HTML document?

Less headers would mean less bits, less bandwidth and better performance.

Apache config for Strict-Transport-Security only HTML document:

    Header set Strict-Transport-Security "max-age=15552000;
includeSubDomains; preload"
    <FilesMatch
\.(appcache|crx|css|eot|gif|ico|jpe?g|js|mp4|oga|ogg|ogv|otf|pdf|png|svg|ttf|txt|vcard|vcf|nex|webapp|webm|webmanifest|webp|woff|woff2|xml|xsl)$>
        Header unset Strict-Transport-Security env=SSL
    </FilesMatch>


Binyamin

Received on Monday, 15 June 2015 19:43:54 UTC