Devops

HSTS looks deceptively simple. One header, one line, done. That’s exactly why teams get it wrong. I’ve seen production rollouts where HSTS was added in a hurry, tested once in Chrome, and then forgotten until something broke: login subdomains stopped working, staging got pinned to HTTPS, or preload got enabled before the company actually controlled every edge of its domain. The header itself is easy. The operational blast radius is where people mess up. ...

HSTS on Fly.io looks simple right up until it breaks logins, bricks a staging subdomain, or quietly does nothing because the header never reaches the browser. I’ve seen all three. If you’re deploying on Fly.io, the platform handles TLS nicely, but HSTS is still your job. That’s where people get tripped up: they assume “HTTPS is on” means “HSTS is done.” Not even close. Here are the mistakes I see most often, why they happen on Fly.io, and how I’d fix them. ...

If you run APIs over HTTPS, HSTS looks like an easy win. Set one header, tell clients to never use HTTP again, and reduce downgrade and cookie leakage risks. That’s the sales pitch. For browser-facing traffic, I’m generally a fan. For API endpoints, the answer is more nuanced. HSTS absolutely helps in some API deployments, does almost nothing in others, and can create operational headaches if you roll it out carelessly. ...

HSTS and mixed content get lumped together because they both live in the HTTPS world. But they solve different problems, fail in different ways, and trip up different teams. If you’re building or maintaining a site, you need to understand the gap between them: HSTS tells the browser to always use HTTPS for your domain. Mixed content happens when an HTTPS page still loads some resources over HTTP. That distinction matters. I’ve seen teams proudly enable HSTS and assume they’re done, while their pages still pull images, scripts, or CSS over plain HTTP. That’s not “mostly secure.” That’s a site with sharp edges. ...

If you host on Azure Static Web Apps, HSTS looks deceptively simple. You want one header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Done, right? Not quite. Azure Static Web Apps is great for shipping frontend apps fast, but once you care about security headers, especially HSTS, you run into a design constraint: you do not get full control over the edge like you would with a custom reverse proxy, Nginx, or a tuned CDN setup. ...

A few years ago, I helped clean up a messy HTTPS rollout for a mid-sized SaaS app. On paper, the setup looked fine: valid TLS cert, HTTPS redirect, load balancer in front, and a decent-looking security checklist in the wiki. In production, it was shaky. Users could still hit http:// directly. Some static assets loaded from old subdomains with mismatched certificates. One internal team wanted to turn on HSTS preload immediately because they’d read that “preload means maximum security.” That would have been a great way to lock broken TLS behavior into every browser. ...

HSTS is one of those controls people configure once, feel good about, and then forget for two years. That is exactly why it needs monitoring. I’ve seen teams proudly preload a domain, then quietly lose the header on a CDN edge, a redirect hop, or a newly launched subdomain. Nobody notices until someone runs a scan, a browser behavior changes, or a security review turns up a gap that has been sitting there for months. ...