Non-Authoritative-Reason header field [HTTP]

Question

I\'m having difficulty finding out what it means when I have the response header Non-Authoritative-Reason : HSTS

I have searched a lot but just came up

Answer 1

According to MDN (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security):

The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it

And the HSTS Preload list deployment recommendations mention:

Add the Strict-Transport-Security header to all HTTPS responses

The HTML5 Boilerplate shows how to only set Strict-Transport-Security over HTTPS (in apache):

# Set 'Strict-Transport-Security' over HTTPS only!

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]