HSTS

HSTS on Railway sounds simple: add a header, force HTTPS, done. In practice, the right place to set it depends on how you deploy, whether you use Railway’s edge, and how much control you actually have over redirects and custom domains. If you run production apps on Railway, HSTS is usually worth enabling. But it’s one of those headers that can absolutely hurt you if you switch it on carelessly, especially with preload or a long max-age before your subdomains are ready. ...

HSTS on Fly.io looks simple right up until it breaks logins, bricks a staging subdomain, or quietly does nothing because the header never reaches the browser. I’ve seen all three. If you’re deploying on Fly.io, the platform handles TLS nicely, but HSTS is still your job. That’s where people get tripped up: they assume “HTTPS is on” means “HSTS is done.” Not even close. Here are the mistakes I see most often, why they happen on Fly.io, and how I’d fix them. ...

If your domain is on the HSTS preload list and you need it out, the process is simple on paper and annoyingly slow in practice. The hard part is not the form submission. The hard part is understanding what browsers will keep doing after you change your headers, and making sure you do not trap users behind a broken HTTPS setup while preload removal works its way through browser releases. ...

If you host a static site or public assets on Google Cloud Storage, HSTS sounds simple: send Strict-Transport-Security and force browsers onto HTTPS. The catch: with GCS, whether you can actually do that depends entirely on how you serve content. That’s the whole game. Google Cloud Storage is great at object serving. It’s not great at acting like a full-featured web server with flexible response header control in every hosting mode. So if you want HSTS on a GCS-backed site, you need to pick the right architecture first. ...

HSTS is one of those headers that’s easy to enable and surprisingly easy to get wrong. If you run a REST API with Express, HSTS tells clients: “Stop trying plain HTTP for this host. Use HTTPS only for a while.” That sounds simple, but the details matter a lot in production, especially behind proxies, load balancers, and CDNs. This guide is the version I wish more API teams used: what to send, when to send it, and what not to do. ...

If you run APIs over HTTPS, HSTS looks like an easy win. Set one header, tell clients to never use HTTP again, and reduce downgrade and cookie leakage risks. That’s the sales pitch. For browser-facing traffic, I’m generally a fan. For API endpoints, the answer is more nuanced. HSTS absolutely helps in some API deployments, does almost nothing in others, and can create operational headaches if you roll it out carelessly. ...

I’ve seen this mistake a lot: a team puts a static site in S3, flips on static website hosting, maps a DNS record, and calls it done. The site is fast, cheap, and easy to deploy. It also can’t do HSTS correctly. That matters because once you care about HTTPS, you usually want to enforce it hard. HSTS tells browsers: “Stop trying HTTP for this site. Only use HTTPS for a while.” Without it, users can still hit the site over plain HTTP first, get redirected, and stay exposed to downgrade and interception risks on that first request. ...

HSTS and mixed content get lumped together because they both live in the HTTPS world. But they solve different problems, fail in different ways, and trip up different teams. If you’re building or maintaining a site, you need to understand the gap between them: HSTS tells the browser to always use HTTPS for your domain. Mixed content happens when an HTTPS page still loads some resources over HTTP. That distinction matters. I’ve seen teams proudly enable HSTS and assume they’re done, while their pages still pull images, scripts, or CSS over plain HTTP. That’s not “mostly secure.” That’s a site with sharp edges. ...

If you serve HTTPS and you’re not using HSTS, you still have a weak first step. That sounds harsh, but it’s true. A site can have a perfectly valid TLS setup and still be vulnerable to downgrade tricks that push users onto plain HTTP before HTTPS ever gets a chance. HSTS fixes that by telling browsers: “for this site, never use HTTP again.” That one rule shuts down a whole class of annoying and very real attacks. ...

HSTS is one of those headers that’s dead simple on paper and weirdly easy to mess up in production. If you run a TypeScript app with tRPC, you usually don’t “add HSTS to tRPC” directly. You add it at the HTTP layer that serves your tRPC endpoint: Express, Fastify, Next.js custom server, Nginx, your edge platform, or your CDN. That distinction matters because if you set it in the wrong place, your API might still be exposed over plain HTTP during redirects or on subdomains you forgot existed. ...