|
|
|
|
|
|
by e1ven
5080 days ago
|
|
|
The STS header has an expiration date on it. Let's assume you have it set to 1 year.
If user A visits the site in March, receives the header, uses the site for a while. In May, the site/user's DNS/whatever is hijacked. Users are sent to a dummy site, which does not set the header. The dummy site is over HTTP. The next day, the user tries to go to the site. Because it is not over HTTPS, the browser refuses to load the page, even though the header is no longer sent. |
|
|
If I visit again tomorrow, the browser-cached version of that header will be updated with a new expiration date, and expire a month from tomorrow, not now.
1: http://www.wolframalpha.com/input/?i=2592000%20seconds
edit: I think we're agreeing.