Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

To: users@xxxxxxxxxxxxxxxx
Subject: Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
From: "Scott (firstclasswatches.co.uk)" <scott.lucas@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 6 Oct 2014 23:22:55 +0100
In-reply-to: <00cd01cfe1b3$98778900$c9669b00$@mattermedia.com>
Reply-to: users@xxxxxxxxxxxxxxxx

Yes, HSTS requests over HTTP are ignored anyway for similar reasons.

Kind Regards,

Scott

First Class Watches

9 Warwick Road
Kenilworth
CV8 1HD
Warwickshire

United Kingdom

On 6 October 2014 23:19, Eddie B <eddie@xxxxxxxxxxxxxxx> wrote:

Great answer, thank you Scott.

Do you recommend only setting the HSTS header for https requests?

References:
- How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
  - From: Eddie B
- Re: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
  - From: Scott (firstclasswatches.co.uk)
- RE: How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser
  - From: Eddie B