HSTS for AWS S3 Static Hosting: A Real-World Fix
I’ve seen this mistake a lot: a team puts a static site in S3, flips on static website hosting, maps a DNS record, and calls it done. The site is fast, cheap, and easy to deploy. It also can’t do HSTS correctly. That matters because once you care about HTTPS, you usually want to enforce it hard. HSTS tells browsers: “Stop trying HTTP for this site. Only use HTTPS for a while.” Without it, users can still hit the site over plain HTTP first, get redirected, and stay exposed to downgrade and interception risks on that first request. ...