I recently discovered during a penetration test that the HSTS was returned by the application but in this format:
Does this format mean that the header (HSTS) is not validated by the client and prevented from doing what it is designed to do? As I understand HTTP headers are case insensitive but I’m not sure if this is a valid header name.
Any advice is greatly appreciated. Thank you