> On Sep 5, 2017, at 11:22 , Leo Lapworth <l...@cuckoo.org> wrote: > > Would (at least for the short term) just adding the HSTS header to every > request be the best solution? Then browsers get told to switch to secure and > other clients can do either.
HSTS only works on TLS requests, so you have to get the browser to use that first and then it’ll pay attention to the header (and use TLS across all requests). Ask
