If I’m using HSTS, can I skip the scheme from my CSP directives?
For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I’m able to save some bytes by wildcarding some subdomains, but I’m also tempted to strip out all instances of https://.
Example:
connect-src ‘s… Continue reading If I’m using HSTS, can I skip the scheme from my CSP directives?