HSTS for Kotlin with Ktor: Copy-Paste Reference
HSTS in Ktor is simple once you know where to put it, and easy to get wrong if you treat it like just another header. Strict-Transport-Security tells browsers: “for this domain, use HTTPS only for a while.” After a browser sees it over a valid HTTPS response, future HTTP requests get upgraded to HTTPS before they ever leave the browser. That blocks protocol downgrade attacks and strips out a whole class of sloppy redirect problems. ...