HSTS for AWS API Gateway: Setup, Limits, and Gotchas
HTTP Strict Transport Security sounds simple: send one response header and browsers stop using plain HTTP for your domain. With AWS API Gateway, it’s a little messier. The short version: API Gateway can return Strict-Transport-Security, but whether HSTS actually helps depends on how clients reach your API, whether you use a custom domain, and whether any HTTP endpoint still exists in front of it. If you only remember one thing, remember this: HSTS protects browser traffic for hostnames, not APIs in the abstract. If your API is consumed by server-to-server clients, mobile apps, or SDKs, HSTS is mostly irrelevant. If your API is called from browser-based apps on a custom domain, then it absolutely matters. ...