W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

[upgrade-insecure-requests] Strict-Transport-Security only for HTML document or any type files?

From: Binyamin <7raivis@inbox.lv>
Date: Mon, 15 Jun 2015 22:42:48 +0300
Message-ID: <CABj=UkK49SOD=2WxkAKvds9vi2pEQt7HomJESSbyLkw=WY5qNA@mail.gmail.com>
To: public-webappsec@w3.org

If all content expected to come from HTTPS, is
still Strict-Transport-Security header expected to been set on any file
type or only for HTML document?

Less headers would mean less bits, less bandwidth and better performance.

Apache config for Strict-Transport-Security only HTML document:

    Header set Strict-Transport-Security "max-age=15552000;
includeSubDomains; preload"
        Header unset Strict-Transport-Security env=SSL

Received on Monday, 15 June 2015 19:43:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC