Wss

If you use WebSockets in a browser app, HSTS absolutely matters. A lot of teams set Strict-Transport-Security for normal page loads and APIs, then forget that their frontend also opens ws:// or wss:// connections. That gap creates weird mixed transport behavior at best and a downgrade risk at worst. The short version: modern browsers generally apply HSTS to WebSocket connections too. If a host is known to be HSTS, a ws:// URL to that host is treated like wss:// before the network request goes out. That’s good news, but there are edge cases and deployment mistakes that still break things. ...