HSTS header for all resources? or documents?

Question

Do I have to return a HTTP Strict Transport Security header for all resources (stylesheets, scripts, images) loaded with my documents? or is it enough to include them for the documents only?

The security hint should be applied per-domain, so just sending it with the documents should be enough to inform the browser to only fetch resources over HTTPS? Or have I misunderstood how it is supposed to work?

Anyone only accessing my site’s resources directly are not really an audience I want to cater specifically for anyway.

Answer 1

Turns out it should be enough to send the header for documents.

If a UA receives HTTP responses from a Known HSTS Host over a secure channel but the responses are missing the STS header field, the UA MUST continue to treat the host as a Known HSTS Host until the max-age value for the knowledge of that Known HSTS Host is reached.

https://www.rfc-editor.org/rfc/rfc6797#section-8.6

Hoping clients have implemented the RFC correctly.

Update: Here is the Apache configuration I used. I unset it for resources instead of setting it for documents specifically to make sure the header is used in redirects and other pages generated by Apache.

# Enable HSTS for all responses, but disable for common resources
Header always set Strict-Transport-Security "max-age=324000; includeSubDomains"
<FilesMatch "\.(css|gif|ico|jpeg|jpg|js|png|woff)$">
    Header unset Strict-Transport-Security
</FilesMatch>

Shaves off 64 bytes from each resource’s response headers.