I disagree with RFC6797 on HTTP Strict Transport Security, especially Section 12.1: No User Recourse. If you want to stop users to randomly press the big red BYPASS button because they have no clue what they are doing, you might as well stop them to use a computer.