Stuart Henderson writes: > > My plan was to propose a way to set the HSTS header if this proposal was > > well received, since there isn't much point having a built-in way to set > > the header if you're still having to use FCGI anyway to do the > > redirects. > > I think there is still point in that; even if you need FCGI for redirects, > that would only be needed on the HTTP side, and there's little point in > requiring FCGI to deliver a static html file plus HSTS header. Also you > might not want to do redirects at all, just hand out an HTTPS URL to > users and give them security against an HTTPS->HTTP downgrade attack.
There's not really any good way to prevent the case of "the first time user accesses example.com is by typing example.com instead of https://example.com into the address bar." Firefox and Chrome attempt to solve this with a preloaded list of domains that they use HSTS for by default; see https://hstspreload.appspot.com/ -- Anthony J. Bentley