I need to activate HSTS on my webserver. But what should I do if the user did not allowed cookies by clicking "no" on my 'do you accept our cookies' alert?
Can I theoretically disable HSTS in such cases or is it always active? I know It would not make sense, but does it work?
This is not possible, due to a chicken and egg problem. HSTS is a header sent by the server. The only way the server would know to omit that header is if the client sent something in the request that would signal that. There's no "opt-out-of-HSTS" request header, so it would have to be something else stored permanently, like… a cookie. Which obviously defeats the purpose.
Further, the server would not be able to set the HSTS header on any first visit. And that rather defeats the purpose of HSTS.