Most common: X-XSS-Protection at 1.52%
CSP was at 0.36%
Least common: STS at 0.002%
People don't use security features
Lazy / uninterested? (probably not)
Unaware? (more likely)
make it easier for developers to do the right thing!
highlight what's missing or broken
make it easier / quicker to use security features
by providing features to allow developers identify problems
by providing features to help implement security controls
similar to report-uri
more convenient / immediate for a developer if it's in-browser
take some of the guesswork out of SSL problems
this is easy, currently, if you've got a simple page
it's annoying when you've got anything bigger
See what fails (and why)?
with links to information that explains how it could (and why it should) be better?
Visible warning if a password field is on an http page and/or a form that's submit action is over http.
highlight factors that are out of compliance (like some of the ideas we've mentioned or potentially configured by the developer).
(this kind of thing is massively useful for devs and security people in large corporations)
sometimes people lose sight of where they're getting stuff from
Things like DOMinator (the only DOM XSS tool I've seen that works)
It's important to expose new-ish functionality in a way that's useful for tooling (e.g. WebSockets)