How to Audit Your HSTS Configuration
HTTP Strict Transport Security looks simple: send one header, force HTTPS, move on. In practice, HSTS failures are boring, subtle, and easy to miss until production traffic hits an unexpected edge case. I’ve seen teams “enable HSTS” and still leave redirect loops, missing subdomains, CDN overrides, and preload-breaking configs in place. The header was technically there, but the deployment was not actually trustworthy. If you want to audit HSTS properly, compare multiple methods. No single check catches everything. ...