HSTS Report-Only Mode: Practical Reference and Examples
HSTS report-only mode sounds like something browsers should support. They don’t. That’s the first thing worth clearing up, because a lot of developers go looking for a Strict-Transport-Security-Report-Only header and assume they just haven’t found the right syntax yet. There is no standardized HSTS report-only header implemented by browsers in the way Content-Security-Policy-Report-Only works. So if you’re trying to safely “test” HSTS before enforcing it, the real answer is a mix of: ...