On Nov 6, 2013, at 4:16 PM, Marco Davids (Prive) <mdavids@xxxxxxxxxx> wrote: > On 05/11/13 20:38, Yoav Nir wrote: >>> Enabling 'HTTP Strict Transport Security' (HSTS, RFC6797) might be a >>> good first step. >> HSTS means that HTTP is off (or just redirects you to HTTPS). The first S stands for "strict" and we mean it. :-) >> > Well, not entirely; the redirect is strictly not part of HSTS. Sure it is: 7.2. HTTP Request Type If an HSTS Host receives an HTTP request message over a non-secure transport, it SHOULD send an HTTP response message containing a status code indicating a permanent redirect, such as status code 301 (Section 10.3.2 of [RFC2616]), and a Location header field value containing either the HTTP request's original Effective Request URI (see Section 9 ("Constructing an Effective Request URI")) altered as necessary to have a URI scheme of "https", or a URI generated according to local policy with a URI scheme of "https".