HSTS is one of those headers that’s easy to enable and surprisingly easy to get wrong. If you run a REST API with Express, HSTS tells clients: “Stop trying plain HTTP for this host. Use HTTPS only for a while.” That sounds simple, but the details matter a lot in production, especially behind proxies, load balancers, and CDNs. This guide is the version I wish more API teams used: what to send, when to send it, and what not to do. ...
If you run APIs over HTTPS, HSTS looks like an easy win. Set one header, tell clients to never use HTTP again, and reduce downgrade and cookie leakage risks. That’s the sales pitch. For browser-facing traffic, I’m generally a fan. For API endpoints, the answer is more nuanced. HSTS absolutely helps in some API deployments, does almost nothing in others, and can create operational headaches if you roll it out carelessly. ...
HSTS is one of those headers that’s dead simple on paper and weirdly easy to mess up in production. If you run a TypeScript app with tRPC, you usually don’t “add HSTS to tRPC” directly. You add it at the HTTP layer that serves your tRPC endpoint: Express, Fastify, Next.js custom server, Nginx, your edge platform, or your CDN. That distinction matters because if you set it in the wrong place, your API might still be exposed over plain HTTP during redirects or on subdomains you forgot existed. ...
HTTP Strict Transport Security is one of those headers you set once, then forget about until you realize your rollout plan was sloppy. If you run a Dart app with Shelf, HSTS is straightforward: send a Strict-Transport-Security response header on HTTPS responses, and don’t break local development while doing it. This guide is the practical version: what to send, when to send it, and copy-paste Shelf middleware you can actually use. ...
HSTS looks simple: send one response header and browsers stop talking to your site over plain HTTP. The catch is that HSTS is one of those headers that can absolutely improve security and absolutely break things if you roll it out carelessly. I’ve seen teams flip on includeSubDomains in production and then spend the afternoon finding forgotten subdomains, old staging boxes, and random vendor callbacks still using HTTP. If you’re running Fastify, you’ve got a few ways to handle HSTS: ...
HSTS is one of those headers that looks trivial until you ship it wrong. For Koa apps, the mechanics are easy: send Strict-Transport-Security over HTTPS. The hard part is rollout, preload, proxies, subdomains, and not bricking a staging or legacy setup by accident. This guide is the version I wish more teams had on hand: what to send, when to send it, and copy-paste Koa examples that won’t surprise you later. ...
HSTS is one of those headers that’s boring right up until the day it saves you from a nasty downgrade or cookie theft issue. If you’re running a Crystal app with Kemal, HSTS is usually easy to add. The hard part is deciding how aggressive to be. Short max-age? Long max-age? Include subdomains? Preload? Those choices have real operational consequences, especially if you run staging environments, legacy subdomains, or mixed infrastructure. ...
If you run a Play app in production and you’re still treating HTTPS as “mostly enabled,” HSTS is one of the easiest ways to stop users from ever hitting your site over plain HTTP again. The idea is simple: tell the browser, “for this domain, only use HTTPS for a while.” After that, even if someone clicks an old http:// link or a network attacker tries SSL stripping, the browser upgrades the request before it leaves the machine. ...
HSTS looks simple: send one response header and browsers stop using HTTP for your site. In practice, teams still get it wrong all the time, especially in Erlang systems sitting behind load balancers, reverse proxies, or mixed legacy setups. I’ve seen Cowboy apps ship with “secure” configs that quietly do nothing, break subdomains, or lock a bad decision into browsers for months. If you’re running Cowboy, the tricky part usually isn’t the header syntax. It’s where you set it, when you set it, and whether your deployment actually matches what the browser thinks is happening. ...
A few years ago I helped clean up a small Rust service that had all the usual “we’ll fix it before launch” security leftovers. The app used Rocket. TLS was terminated at a reverse proxy. Redirects from HTTP to HTTPS were working. Cookies were marked Secure. Everyone on the team assumed transport security was done. It wasn’t. The missing piece was HSTS: Strict-Transport-Security. Without it, first requests were still vulnerable to downgrade tricks, bad links, stale bookmarks, and users typing example.com without the scheme. The site looked secure in normal testing, but the browser had no instruction to always use HTTPS on future visits. ...