Strict-Transport-Security header, specific questions regarding adding to my Apache 2.4 setup

Question

I have several IP-based virtual hosts that I want to add the Strict-Transport-Security header on. I'm using Apache 2.4 custom compiled.

Currently I have two <VirtualHost> containers for each domain, like so:

<VirtualHost ${IP3}:80>
    ...
    <IfModule rewrite_module>
        RewriteEngine On
        RewriteCond %{HTTPS} off [OR]
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteRule .* https://www.${SITE}%{REQUEST_URI} [NE,R=301,L]
    </IfModule>
    ...
</VirtualHost>

<VirtualHost ${IP3}:443>
    ...
</VirtualHost>

The first VirtualHost does a simple mod_rewrite for non-ssl and non-www requests redirecting all requests to the second VirtualHost. Easy.

Question 1

Should I set up my mod_headers stuff in the first VirtualHost container (:80), the second (:443), or both?

Question 2

Should my mod_headers stuff come before or after the mod_rewrite stuff?

Question 3

Should I apply the Strict-Transport-Security headers to all files, or only just .htm, .html and .php files? (I have a FilesMatch directive set up as a qualifier for certain headers)

My Best Guess Answers

Before any testing, my best guess answers would be:

Q1. Add mod_headers stuff to both VirtualHost containers.

Q2. mod_headers stuff should come before mod_rewrite stuff.

Q3. Yes, only those web filetypes that you serve need Strict-Transport-Security. No need to add it to .gifs, .pngs, .svgs, .css, .js, etc.

EDIT: I see stackexchange also adds them to their robots.txt file.

Thanks.

Answer 1

I'm going to post an answer temporarily and if someone comes along and corrects me, I'll mark your answer right.

Q1. Definitely set Strict-Transport-Security headers in both :80 and :443 VirtualHosts.

Q2. Definitely add the headers before any mod_rewrite redirection rules.

Q3. I'm a little less certain about this answer.

Some sites use both SSL and non-SSL assets (css, js, images), but my sites only serve content over SSL.

So the answer is: it depends on your setup and what you want. There is no harm in adding the header to css, js, images, etc. And conversely, there is no harm in not adding it to those file types.