I have added the following line in my .htaccess file to set the HSTS header
Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;"
To test the HSTS header, I have done the below steps:
The first time when I access the application and verified it in the developer tool, I could see the HSTS header in all the PHP files, image files, CSS files, and JS files. Again when I load the application, I could see images, CSS, and JS files are loaded from the memory/disk cache and these files are missing the HSTS header in response headers. However, PHP files still shows the HSTS header in the reponse headers.
Missing HSTS header in the resource files(image/CSS/JS files) is accepted? OR It is considered as security hole? If so how can I fix this?
Thank you in advance
The idea behind an HSTS header is that content is always downloaded over an encrypted connection.
Once the files are downloaded and put in your memory/disk cache they are no longer encrypted.
When your browser gets the files from memory/disk cache they also don't need to be downloaded over any connection. The memory/disk cache is a trusted resource. That's why the HSTS header is not needed.