HSTS for TypeScript with tRPC: Copy-Paste Guide
HSTS is one of those headers that’s dead simple on paper and weirdly easy to mess up in production. If you run a TypeScript app with tRPC, you usually don’t “add HSTS to tRPC” directly. You add it at the HTTP layer that serves your tRPC endpoint: Express, Fastify, Next.js custom server, Nginx, your edge platform, or your CDN. That distinction matters because if you set it in the wrong place, your API might still be exposed over plain HTTP during redirects or on subdomains you forgot existed. ...