[okket]

I still think you have this wrong:

HSTS says "This domain uses TLS and ONLY TLS. Ignore insecure connections to this domain. Remember this for x seconds." (should be harmless these days, why should it backfire?)

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security...

HPKP says "This domain uses this certificate. Also, remember this and ignore/complain when different in the future." (which is the problematic part)

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#How_It...

[user5994461]

You don't seem to understand. Read again, I gave many scenarios where a certificate will be invalid, that will block all access to your site if HSTS is enabled.

[okket]

I read your posts. Your examples apply to HKPK (key pinning), not HSTS (enforcing TLS only).

[user5994461]

My examples are for HSTS. I gave examples where a certificates is invalid. TLS fails when the certificate is invalid and HSTS blocks access to your site.