If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7789 Acknowledgements: Name: the Mozilla project Upstream: Muneaki Nishimura