Matt Konda · Mar 27, 2019 · 9:07 PM UTC

Matt Konda @mkonda

27 Mar 2019

Not super exciting, but curious: if a response sets STS header, do we still care about the secure flag on the cookie?

Bil Corry · Mar 28, 2019 · 12:10 AM UTC

Bil Corry · Mar 28, 2019 · 12:10 AM UTC

Bil Corry @bilcorry

28 Mar 2019

Replying to @mkonda

Yes, there’s the issue of scope mismatch, the HSTS bootstrap request, older browsers, and misconfiguration. Seems prudent to still set Secure.

Mar 28, 2019 · 12:10 AM UTC

Matt Konda · Mar 28, 2019 · 12:25 AM UTC

Matt Konda @mkonda

28 Mar 2019

Replying to @bilcorry

Thanks, Bil! That hit what I needed and part of it I had overlooked.