Apache

I’ve seen this bug ship more than once: a team enables HSTS, feels good about “forcing HTTPS,” and then learns the hard way that HSTS does nothing for a user’s very first HTTP visit. That gap matters. If you’re deciding between an HTTPS redirect and HSTS, the answer is not “pick one.” You need both. The real question is which one protects the user first, and how to roll them out without breaking login flows, subdomains, or that one forgotten asset host from 2018. ...

HSTS in Apache is one of those things that’s surprisingly easy to turn on, but also easy to get wrong if you rush it. If you’re serving a site over HTTPS, you should almost certainly be sending the Strict-Transport-Security header. It tells browsers: “from now on, only ever talk to me over HTTPS.” That closes off a whole class of downgrade and SSL-stripping attacks, and it helps make your HTTPS setup actually stick. ...