It's part of "defense in depth." Mess up one input validation? No problem, your CSP prevents client-side execution of injected scripts for most users.
Returning user, temporarily on an untrustworthy network? No problem, your HSTS header ensures they only attempt to talk to you over SSL.
It's the same reason you should set cookies to `secure; HttpOnly` -- you don't expect untrustworthy scripts to run on your page, but if they somehow do, you've got a second line of defense.
Returning user, temporarily on an untrustworthy network? No problem, your HSTS header ensures they only attempt to talk to you over SSL.
It's the same reason you should set cookies to `secure; HttpOnly` -- you don't expect untrustworthy scripts to run on your page, but if they somehow do, you've got a second line of defense.