HSTS Mistakes in Erlang Cowboy and How to Fix Them
HSTS looks simple: send one response header and browsers stop using HTTP for your site. In practice, teams still get it wrong all the time, especially in Erlang systems sitting behind load balancers, reverse proxies, or mixed legacy setups. I’ve seen Cowboy apps ship with “secure” configs that quietly do nothing, break subdomains, or lock a bad decision into browsers for months. If you’re running Cowboy, the tricky part usually isn’t the header syntax. It’s where you set it, when you set it, and whether your deployment actually matches what the browser thinks is happening. ...