Posted by Ricardo Iramar dos Santos on Jan 20

Hi All,

I’ve noticed that mobile.facebook.com domain is not on HSTS preload
list or sending the Strict-Transport-Security header. All the others
domains like m.facebook.com is using HSTS properly.
I reported this to Facebook on 12/3/15 through the whitehat program
and got the answer below. I’ve checked again today and it still not
using HSTS. Not sure why Facebook is not protecting this domain with
HSTS.

Hi Ricardo,
Thank you…