When reading the spec for HSTS (Strict-Transport-Security), I see an injunction in section 7.2 against sending the header when accessed over http instead of https:
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
Why is this? What are the risks if this is violated?
Aucun commentaire:
Enregistrer un commentaire