While reading through https://hstspreload.org I noticed in section "Deployment Recommendations" that I should "Add the Strict-Transport-Security header to all HTTPS responses...".
Because of including HSTS-policy to all https responses sounds overkill to me, I examined a few websites to check if they really all include this header field in all their https responses. But not even google is doing it, e.g. https://www.google.com/doodles has no Strict-Transport-Security header field in the response.
So my question is when should a server response include HSTS-policy?
The options I see here are:
- include HSTS in every https response.
- include HSTS in every security relevant https response.
- include HSTS only for e.g. example.com but not for any paths like example.com/mypath
- I mean sooner or later they gonna visit example.com anyway, no?
- include HSTS only if request has "upgrade-insecure-requests: 1" field
- I noticed that Chrome is sending this request header field in security relevant stuff if HSTS was not set.