Expert insights on AI-powered coding security, vibe-based development practices, and protecting AI-generated web applications from vulnerabilities.

· · 2 min read

What Is HSTS (HTTP Strict Transport Security)?

HSTS security headers HTTPS browser security
HTTP Strict Transport Security (HSTS) : A web security mechanism that instructs browsers to only access a site over HTTPS, preventing protocol downgrade attacks and cookie hijacking. When a server sends the Strict-Transport-Security header, the browser automatically converts all HTTP requests to HTTPS for the specified duration, even if the user types http://.

Why It Matters for AI-Coded Apps

AI code generators almost never add security headers like HSTS. When vibe coding a web application, the LLM focuses on functionality and leaves the app accessible over both HTTP and HTTPS, allowing man-in-the-middle attackers to intercept traffic, steal session cookies, and inject malicious content during the initial HTTP request.

Real-World Example

A user accesses http://app.com on public WiFi. Without HSTS, the browser makes an unencrypted HTTP request that an attacker on the same network intercepts, stealing the session cookie. With HSTS (Strict-Transport-Security: max-age=31536000; includeSubDomains), the browser upgrades to HTTPS automatically before sending any data.

How to Detect and Prevent It

Add the HSTS header to all responses: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Start with a short max-age (300 seconds) and increase after confirming HTTPS works everywhere. Submit your domain to the HSTS preload list for browser-level enforcement. Ensure all subdomains support HTTPS before using includeSubDomains.

Frequently Asked Questions

What is HSTS preloading?

HSTS preloading is a list maintained by browsers that hardcodes HSTS for submitted domains. Once your domain is on the preload list, browsers enforce HTTPS from the very first visit, eliminating the window where a first-time visitor could be attacked. Submit at hstspreload.org.

Can HSTS break my site?

If any part of your site or subdomains does not support HTTPS, enabling HSTS with includeSubDomains will make those resources inaccessible. Always verify full HTTPS support before enabling. Use a short max-age initially to test.

Do hosting platforms like Vercel add HSTS automatically?

Vercel, Netlify, and Cloudflare Pages add HSTS headers by default for custom domains. However, self-hosted deployments and platforms like Railway, Render, or AWS require manual configuration. Always verify headers with securityheaders.com.

Scan your app for security issues automatically

Vibe Eval checks for 200+ vulnerabilities in AI-generated code.

Try Vibe Eval

AI Coding Security Insights.
Ship Vibe-Coded Apps Safely.

Effortlessly test and evaluate web application security using Vibe Eval agents.

GET STARTED GET A DEMO