I realized two things about HTTP Strict Transport Security and this project:
HSTS only takes effect when the header is itself delivered over HTTPS, so even if we set the HSTS header before HTTPS has taken effect, there will be no ill effects.
There's no reason to think that once HTTPS is enabled for either a *.cf.18f.us subdomain, or for open.foia.gov, that we'd ever downgrade it to http:// afterwards.
Even if I am somehow wrong about the above, the worst case is that we remove the HSTS header, and the affected development team clears their HSTS cache (in Chrome, this is at chrome://net-internals#hsts). But I'm pretty sure there's no reason to think we'd even have to do that.
I realized two things about HTTP Strict Transport Security and this project:
*.cf.18f.us
subdomain, or foropen.foia.gov
, that we'd ever downgrade it tohttp://
afterwards.Even if I am somehow wrong about the above, the worst case is that we remove the HSTS header, and the affected development team clears their HSTS cache (in Chrome, this is at
chrome://net-internals#hsts
). But I'm pretty sure there's no reason to think we'd even have to do that.Fixes #618.