HSTS for Node.js with Koa: Copy-Paste Reference
HSTS is one of those headers that looks trivial until you ship it wrong. For Koa apps, the mechanics are easy: send Strict-Transport-Security over HTTPS. The hard part is rollout, preload, proxies, subdomains, and not bricking a staging or legacy setup by accident. This guide is the version I wish more teams had on hand: what to send, when to send it, and copy-paste Koa examples that won’t surprise you later. ...