Thanks for tackling this. I'll try to get it reviewed this week.

@victoriadrake can we maybe add a reference of this in the main template so that people following it would make sure to see this?

@rbsec as you mentioned in a previous comment, the HTTP request doesn't declare if this is under TLS, and yet I don't see a need for that, unless we're talking about the TLS section. Do you think we should include an example for a clear representation of a HTTPS request? Like this: GET https://example.com/home/ HTTP/1.1

@ThunderSon I don't like including the protocol inside a GET request like that, because it's not a valid request, and will confuse people. I think in the few cases it does matter, it's probably better to just explain it in the preceding sentence?

The other option (and the one I'd normally use in a report), is to format it something like the below (although looks a bit messy on GitHub with the line spacing before the code block):

POST https://example.org/login

X-Token: SecretStuff
[...]
user=foo;password=bar

The response then includes the HSTS header:

200 OK
HSTS: True

@victoriadrake can we maybe add a reference of this in the main template so that people following it would make sure to see this?

Do you mean this page? I'm happy to do that in a new PR once this gets settled.

Please comment if you are still working on this PR, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it for new contributors to take over.

#733 (comment) is still outstanding (just to settle on square brackets or not)