Why must a HSTS header not be sent on HTTP?
What would it hurt; clients could take it as a hint to redirect to https.
Asked
Active
Viewed 269 times
1 Answers
2
HTTP requests can be manipulated by third parties (mitigating this is one of the main purposes of HTTPS). What happens if a third party modifies a HTTP response to add a HSTS header? Imagine that this happens to a site which does not support HTTPS. The client now attempts to access the site over HTTPS, which is not supported. Voilà: the third party has completely blocked access to the site (and for quite some time, if it was a long-term HSTS header).
David Schwartz
- 31,449
- 2
- 55
- 84
TRiG
- 1,181
- 3
- 13
- 30