Fold Martin's suggested text in

MikeBishop · MikeBishop · commit 7e31124f52c4 · 2025-06-24T16:19:42.000-04:00
diff --git a/draft-ietf-httpapi-privacy.md b/draft-ietf-httpapi-privacy.md
@@ -170,7 +170,10 @@ recommendations above.
 ## Implement Relevant Protocols
 
 Clients SHOULD support and query for HTTPS records {{!RFC9460}} when
-establishing a connection and SHOULD respect HSTS headers {{!RFC6797}} received
+establishing a connection. This gives servers an opportunity to provide more
+complete information about capabilities, some of which are security-relevant.
+
+Clients SHOULD respect HSTS headers {{!RFC6797}} received
 from a server. This includes implementing persistent storage of HSTS indications
 received from the server.
 
@@ -185,8 +188,10 @@ token whose value begins with "secret-token:" over an insecure channel.
 When authentication is used, clients SHOULD require an explicit indication from
 the user or caller that an insecure context is expected which is distinct from
 the provided URI. Depending on the interface, this might be a UI preference or
-an API flag. Without such an indication, attempts to send credentials should
-fail without producing any network traffic.
+an API flag.
+
+Absent such an indication, clients of HTTP APIs MUST implement and use HTTPS
+exclusively.
 
 # Security Considerations
 
