I have an https server that sets the HSTS header, but up to date Chrome (and other HSTS compatible browsers, such as Firefox 32) still let the user proceed to HTTPS. Isn't the specific reason HSTS exists to prevent users from proceeding?
Here's the server: http://pastebin.com/JFJw1m40 How is this possible?
