HSTS and Localhost: Common Dev Mistakes and Fixes
HSTS is one of those headers that feels boring right up until it wrecks your local workflow. I’ve seen this happen in teams more than once: someone enables Strict-Transport-Security in a staging or shared dev environment, tests with a real-looking hostname, and suddenly half the team can’t load the app over HTTP anymore. Then people start clearing browser data, changing ports, restarting Docker, and blaming the reverse proxy. The real problem is usually simpler: the browser is doing exactly what HSTS told it to do. ...