HSTS on Caddy: a real-world before and after
I’ve seen plenty of teams assume Caddy “already handles HTTPS” so they can forget about HSTS. That half-truth causes sloppy rollouts. Caddy does make TLS easy. It gets certificates, renews them, redirects HTTP to HTTPS in many setups, and generally removes a lot of web server pain. But HSTS is a separate browser policy, and if you don’t configure it deliberately, users can still make that very first insecure HTTP request. ...