Strict-Transport-Security question. In Ben Nadel's article about it in CF 2021, he only has it enabled in production, not dev, and I'm wondering why. What's the downside of having it on in dev?

@Dave Merrill There really isn't one so long as you plan to always have HTTPS configured on dev

That's what I thought, thanks. Related, I'm adding that header, and I see it in the browser console, but I can hit the site as http (not https), and it renders the same, far as I can tell. Isn't the browser supposed to refuse in that case?

Hmm, it's been a while since I've played with that,. but if you explicitly type

http://

maybe it honors that and only kicks in when you type

<http://site.com|site.com>

with no protocol?

I can't get any different behavior typing just the url with no protocol in a new window. I was thinking of doing this in IIS (what the site uses), but as Ben points out, then it needs to be configured on every new server. If it's in the code, it comes with. (Of course if it's in code, there's the problem of applying it to every page in every directory. That says application,cfc, but there are 65 of them in one app, and 104 in another, and I'd need to do the research to make sure they all extend some root cfc. Ah the joys of long-lived apps...)

For this kind of header, it must (according to spec) be set on all responses from the domain over https, so it is better to do it at the web server level instead of with cfheader, then it would only apply to your cfml handled requests