Julian wondered.. > > wouldn't it make sense to have a default for max-age so it > can be made OPTIONAL?
hm ... I lean towards keeping max-age as REQUIRED (without a default value) and thus hopefully encouraging deployers to think a bit about this and its ramifications, and also because its value is so site-specific in terms of a web application's needs, deployment approach, and tolerance for downside risk of breaking itself.
=JeffH _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
