It's important to note that even if the HSTS header was present on the mobile site, the exploit would still be possible since many mobile browsers do not support HSTS[1].<p>[1]<a href="http://michael-coates.blogspot.com/2013/09/security-capabilities-comparison-hsts.html" rel="nofollow">http://michael-coates.blogspot.com/2013/09/security-capabili...</a>
>We are slowly rolling out HSTS across the entirety of Facebook's infrastructure. The fact that m.facebook.com does not send this header currently is by design.<p>Why not? For browsers that don't support HSTS, the header will be ignored. For those that do support it, the end-user gets better security. Is there a feasible reason for not enabling it everywhere? My guess would be so Facebook can disable SSL for certain browsers?
I don't get this header. Wouldn't the man-in-the-middle that is using something like sslstrip also be able to strip out any header they choose to?
I think marking cookies secure only is more important than hsts, but if both lack, then it's quite bad thing.<p>Btw. There are many sites like this out there. So this isn't news actually. There are even more sites which lack https completely.