[upgrade-insecure-requests] Strict-Transport-Security only for HTML document or any type files?

בע"ה


If all content expected to come from HTTPS, is
still Strict-Transport-Security header expected to been set on any file
type or only for HTML document?

Less headers would mean less bits, less bandwidth and better performance.

Apache config for Strict-Transport-Security only HTML document:

    Header set Strict-Transport-Security "max-age=15552000;
includeSubDomains; preload"
    <FilesMatch
\.(appcache|crx|css|eot|gif|ico|jpe?g|js|mp4|oga|ogg|ogv|otf|pdf|png|svg|ttf|txt|vcard|vcf|nex|webapp|webm|webmanifest|webp|woff|woff2|xml|xsl)$>
        Header unset Strict-Transport-Security env=SSL
    </FilesMatch>


Binyamin

Received on Monday, 15 June 2015 19:43:54 UTC