HSTS is one of those headers that’s easy to enable and surprisingly easy to get wrong. If you run a REST API with Express, HSTS tells clients: “Stop trying plain HTTP for this host. Use HTTPS only for a while.” That sounds simple, but the details matter a lot in production, especially behind proxies, load balancers, and CDNs. This guide is the version I wish more API teams used: what to send, when to send it, and what not to do. ...
HSTS on Heroku looks simple right up until you ship it wrong and lock users into a bad HTTPS setup. I’ve seen this happen a few times: someone enables SSL on Heroku, adds a redirect to HTTPS, throws in Strict-Transport-Security, and calls it done. Then a week later they realize staging is broken, a custom domain is misconfigured, or preload was enabled before every subdomain was actually ready. Heroku makes TLS termination easy. That does not mean HSTS is automatic, or safe by default. ...
HSTS looks simple: send one response header and browsers stop talking to your site over plain HTTP. The catch is that HSTS is one of those headers that can absolutely improve security and absolutely break things if you roll it out carelessly. I’ve seen teams flip on includeSubDomains in production and then spend the afternoon finding forgotten subdomains, old staging boxes, and random vendor callbacks still using HTTP. If you’re running Fastify, you’ve got a few ways to handle HSTS: ...
HSTS is one of those headers that looks trivial until you ship it wrong. For Koa apps, the mechanics are easy: send Strict-Transport-Security over HTTPS. The hard part is rollout, preload, proxies, subdomains, and not bricking a staging or legacy setup by accident. This guide is the version I wish more teams had on hand: what to send, when to send it, and copy-paste Koa examples that won’t surprise you later. ...