I’m digging into the HTTP Strict-Transport-Security specification, https://tools.ietf.org/html/rfc6797
It specifies the syntax of the header like this:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
The RFC specifies that directive names such as “max-age” are case-insensitive, but does explicitly state whether the header name, “Strict-Transport-Security”, is case-sensitive. Are there any more general rules to govern that? Or perhaps I’m missing something in the RFC?
All HTTP header field names are case-insensitive. RFC 7230 § 3.2 states:
Each header field consists of a case-insensitive field name followed by a colon (“:”), optional leading whitespace, the field value, and optional trailing whitespace.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.