HSTS in Rocket: A Real-World Rust Hardening Case Study
A few years ago I helped clean up a small Rust service that had all the usual “we’ll fix it before launch” security leftovers. The app used Rocket. TLS was terminated at a reverse proxy. Redirects from HTTP to HTTPS were working. Cookies were marked Secure. Everyone on the team assumed transport security was done. It wasn’t. The missing piece was HSTS: Strict-Transport-Security. Without it, first requests were still vulnerable to downgrade tricks, bad links, stale bookmarks, and users typing example.com without the scheme. The site looked secure in normal testing, but the browser had no instruction to always use HTTPS on future visits. ...