Deploy HSTS Safely in Production: A Real-World Case Study
A few years ago I watched a team turn on HSTS in production with a one-line config change and a lot of confidence. By lunch, support had a queue full of users who couldn’t reach a legacy upload app on a forgotten subdomain. By the end of the day, the team had learned the hard way that HSTS is easy to enable and surprisingly hard to roll back once browsers cache it. ...