- Let's say that the certificate expire too soon (every year if you don't pay attention) and you didn't replace on time.
- a domain doesn't match (it's fun with CDN, aliases and international sites with domains by countries)
- a subdomain doesn't match (if you enable strict sub domains)
- you test a new certificate and it's not set up right
- it's broken for all non-public certificates, so never try that on test domains, internal domains or private cert chains.
The issue with HSTS is that if any of this happens. Your site is entirely locked down and gives a very scary error to ALL your users. (There is no "ignore certificate" button, HSTS certs errors have a special page).
It gets worse from there. HSTS is IMPOSSIBLE to disable.
The only way to stop it is to send a "HSTS header: 0 duration" header along the page, that you cannot send because all connections are dropped before they are established. You are fucked! (speaking from experience :D).
Last but not least: The HSTS is cached by browsers in a special way. Asking your customers to clear the cache has no effect.
Obviously when you're first rolling it out you should use a short duration to allow for a quick rollback if something goes wrong.
Of course nothing about this truly prevents someone who didn't take proper precautions when setting it up from screwing it up. Unfortunately it's hard to make a more tolerant system without also making it vulnerable again...
Not HKPK.
