Man-in-the-middle attack on Mobile Facebook possible due to lack of HSTS header

It&#x27;s important to note that even if the HSTS header was present on the mobile site, the exploit would still be possible since many mobile browsers do not support HSTS[1].<p>[1]<a href="http://michael-coates.blogspot.com/2013/09/security-capabilities-comparison-hsts.html" rel="nofollow">http:&#x2F;&#x2F;michael-coates.blogspot.com&#x2F;2013&#x2F;09&#x2F;security-capabili...</a>

&gt;We are slowly rolling out HSTS across the entirety of Facebook&#x27;s infrastructure. The fact that m.facebook.com does not send this header currently is by design.<p>Why not? For browsers that don&#x27;t support HSTS, the header will be ignored. For those that do support it, the end-user gets better security. Is there a feasible reason for not enabling it everywhere? My guess would be so Facebook can disable SSL for certain browsers?

I don&#x27;t get this header. Wouldn&#x27;t the man-in-the-middle that is using something like sslstrip also be able to strip out any header they choose to?

Useful post simply for bringing attention to HSTS; of which, I&#x27;ve never heard.

I think marking cookies secure only is more important than hsts, but if both lack, then it&#x27;s quite bad thing.<p>Btw. There are many sites like this out there. So this isn&#x27;t news actually. There are even more sites which lack https completely.