How bad is it to not include security headers when redirecting from Http to Https?

securityheaders / securityheaders-bugs

Bug tracker for https://securityheaders.io

20 stars 0 forks source link

How bad is it to not include security headers when redirecting from Http to Https? #95

Open nulltoken opened 3 years ago

nulltoken commented 3 years ago

This https://securityheaders.com/?q=http%3A%2F%2Fsecurityheaders.com report shows that no security headers is set over Http, while redirecting to Https

How bad/good/meh is this?

Should we strive to implement security headers even during redirections or is it no longer useful?

nulltoken commented 3 years ago

/cc @ScottHelme I understand this is not a critical bug/question. However, I'd really like some feedback (even a brief one) about the usefulness of implementing security headers in http responses while redirecting to https.