In http response there can be header Strict-Transport-Security. I was sure that it must be written in Train-Case, like it is on dropbox.com:
$ curl --silent --head https://dropbox.com | grep -i strict
Strict-Transport-Security: max-age=15552000; includeSubDomains
But on one site I saw it written in kebab-case (this site is not publicly accessable, thats why I don't give link to it):
$ curl --silent --head https://... | grep -i strict
strict-transport-security: max-age=31536000; includeSubDomains
Is it correct to use all lower case letters in Strict-Transport-Security header?
The HTTP specification RFC 7230 section 3.2 says header names are case-insensitive. So you can send them as lower case if you like.
However it is traditional to send them using the specification documents casing. If only to make life easier for people troubleshooting the traffic.