Y
Hacker News
new
|
ask
|
show
|
jobs
by
ars_technician
4560 days ago
It doesn't work if the user hasn't visited the site before because the HSTS header can be stripped just as easily.
2 comments
lvh
4560 days ago
The HSTS specification tells you not to put those headers in regular HTTP requests anyway.
Also, you're forgetting about browsers that ship with lists of HSTS-enabled sites.
link
gtklocker
4560 days ago
https://news.ycombinator.com/item?id=6978539
link
Also, you're forgetting about browsers that ship with lists of HSTS-enabled sites.