Can you pass down a header to the client describing the security of the origin connection? Or let me pass CloudFlare a header that I explicitly would rather you drop the connection than plain text it back to origin?
I like the idea of a client-specified HSTS header - allowing users to control their risk directly (albeit through a browser extension) would definitely be a good thing.
