HSTS Mistakes in AWS ELB and CloudFront
HSTS looks simple: send Strict-Transport-Security, force browsers onto HTTPS, move on. Then AWS gets involved. I’ve seen teams enable HTTPS on an ALB or CloudFront, add a redirect somewhere, and assume they’re done. They aren’t. HSTS in AWS usually breaks because the setup spans multiple layers: browser, CloudFront, load balancer, origin, app, and sometimes a second redirect hiding in the middle. Here are the mistakes I see most often, and how to fix them. ...