"...An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport."
It seems that the "set_hsts_header" function should be modified to only set the header if the connection occurs over an https link. I am not 100% what the security issue is - but the standard does seem to require this. Does that seem correct to people?
Is there a problem that the STS header is also sent over an HTTP link on the first return?
See this line in para [7.2] at : http://tools.ietf.org/html/rfc6797:
"...An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport."
It seems that the "set_hsts_header" function should be modified to only set the header if the connection occurs over an https link. I am not 100% what the security issue is - but the standard does seem to require this. Does that seem correct to people?