Strict Transport Security

[mvl22]

Once full-HTTPS has been in place for a while, we should enable Strict Transport Security, using:

Strict-Transport-Security: max-age=31536000; includeSubDomains;

We should only add this once happy that there are no confirmed situations where mixed content could arise, either existing, or in the future (e.g. embedding third-party images if auto-pull from another site is being done).

So I think this needs to be added cautiously; my experience so far is that you absolutely have to get it right first time, as you can't back out - a browser (as designed) caches the instruction for the given time.

[davidearl]

You're right you can't revoke it, but it doesn't affect referenced URLs. It does two things:

• browser always makes all requests to the specific domain over HTTPS once it has seen the header (until it expires)
• browser won't let you proceed with a duff certificate

[mvl22]

it doesn't affect referenced URLs

Yes; what I meant is that once we've decided to switch to HTTPS and switched on Strict Transport Security, there is no going back to HTTP in the future. Therefore, any scenario that might arise where HTTP resources need to be included (either existing or in the future) will not be possible, so such a change to enable Strict Transport Security must be done with this in mind.