Join GitHub today
Don't send HSTS headers over non-HTTPS connections #8
This comment has been minimized.
This comment has been minimized.Show comment Hide comment
Well, I suppose it doesn't hurt, no. But from the specs:
So it might be confusing to send them over non-secure connections. This is a bit more restricting, adding the header only to connections where it actually makes sense.