In http response there can be header Strict-Transport-Security. I was sure that it must be written in Train-Case, like it is on dropbox.com:
$ curl --silent --head https://dropbox.com | grep -i strict Strict-Transport-Security: max-age=15552000; includeSubDomains
But on one site I saw it written in kebab-case (this site is not publicly accessable, thats why I don't give link to it):
$ curl --silent --head https://... | grep -i strict strict-transport-security: max-age=31536000; includeSubDomains
Is it correct to use all lower case letters in Strict-Transport-Security header?