- From: Binyamin <7raivis@inbox.lv>
- Date: Mon, 15 Jun 2015 22:42:48 +0300
- To: public-webappsec@w3.org
Received on Monday, 15 June 2015 19:43:54 UTC
בע"ה If all content expected to come from HTTPS, is still Strict-Transport-Security header expected to been set on any file type or only for HTML document? Less headers would mean less bits, less bandwidth and better performance. Apache config for Strict-Transport-Security only HTML document: Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" <FilesMatch \.(appcache|crx|css|eot|gif|ico|jpe?g|js|mp4|oga|ogg|ogv|otf|pdf|png|svg|ttf|txt|vcard|vcf|nex|webapp|webm|webmanifest|webp|woff|woff2|xml|xsl)$> Header unset Strict-Transport-Security env=SSL </FilesMatch> Binyamin
Received on Monday, 15 June 2015 19:43:54 UTC