It's probably reasonable to use HSTS to force https-aware browsers to upgrade and avoid injection of all the things she hates. Dumb browsers like `netcat` are not harmed by this at all. But even then ... why aren't you using `curl` or something?
> It's probably reasonable to use HSTS to force https-aware browsers to upgrade and avoid injection of all the things she hates.
There's a broad spectrum between a browser that is "aware" of https and a browser that has all the cipher suites, certificates, etc to load a given page.
If a browser does not support modern TLS (SSL), it probably also has unpatched security flaws. Unpatched browsers should never be used on the Internet because they will get hacked.
Sure but as a server operator, who cares? I already have zero trust in the client and it's not my job to punish the user for not being secure enough. If they get pwned, that's their problem.
Unless I'm at work where there's compliance checkboxes to disallow old SSL versions I'll take whatever you have.
It's probably reasonable to use HSTS to force https-aware browsers to upgrade and avoid injection of all the things she hates. Dumb browsers like `netcat` are not harmed by this at all. But even then ... why aren't you using `curl` or something?