Am 14.10.25 um 09:41 schrieb Olaf Kock:
In general, HSTS communicates to the public that you're claiming to be able to provide a proper https setup, as much as the use of http communicates that you're not able to do so. I was assuming that you're in the first group, so I stand by my word that HSTS is without risk.
Just remembering: Even for your guinea pig server, you /might/ be on the safe side:
If I'm not mistaken, the browser will honor the HSTS flag only when transmitted through a (valid) https connection. So you'd /first/ need a proper https setup, before the HSTS flag is honored.
I'm not 100% sure about this though, but it should be easy to test for you, with a short validity duration
Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
