HSTS for Go with Echo: Copy-Paste Reference
HSTS is one of those headers that’s easy to add and surprisingly easy to get wrong. If you run a Go app with Echo, you can enable it in a few lines. The hard part is choosing the right policy, rolling it out safely, and not locking yourself into a bad preload decision. This is the reference I wish more teams had handy. What HSTS does Strict-Transport-Security tells browsers: always use HTTPS for this site for a period of time you define optionally for all subdomains too optionally with preload eligibility A typical header looks like this: ...