Security

If you’re shipping a Vapor app over HTTPS and you haven’t enabled HSTS yet, you’re leaving a pretty dumb gap in your transport security. HSTS stands for HTTP Strict Transport Security. It tells browsers: “for this domain, stop trying plain HTTP and always use HTTPS.” That matters because a redirect from http:// to https:// is not enough. An attacker sitting on the network can tamper with that first insecure request before the browser ever gets redirected. ...

If you run a Gin app over HTTPS and you’re not sending HSTS, you’re leaving an easy downgrade path open. HSTS tells browsers: “stop trying plain HTTP for this site; always use HTTPS.” That shuts down a bunch of avoidable mistakes and some very real attack paths. The catch: HSTS is one of those headers that looks trivial but can absolutely bite you in production if you roll it out carelessly. I’ve seen teams turn it on with preload flags before they were ready, then spend days untangling broken subdomains and internal tools. ...