📚 HSTS usage details

mars · web-flow · commit 2bbc8211bb63 · 2019-01-07T15:20:56.000-08:00
diff --git a/README.md b/README.md
@@ -227,7 +227,11 @@ Enforce secure connections by automatically redirecting insecure requests to **h
 }
 ```
 
-Prevent downgrade attacks with [HTTP strict transport security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security). Add HSTS `"headers"` to `static.json`:
+#### Strict transport security (HSTS)
+
+Prevent downgrade attacks with [HTTP strict transport security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security). Add HSTS `"headers"` to `static.json`.
+
+⚠️ **Do not set HSTS headers if the app's hostname will not permantly support HTTPS/SSL/TLS.** Once HSTS is set, switching back to plain HTTP will cause security errors in browsers that received the headers, until the max-age is reached. Heroku's built-in `herokuapp.com` hostnames are safe to use with HSTS.
 
 ```json
 {

Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,11 @@ Enforce secure connections by automatically redirecting insecure requests to **h`
`227`	`227`	`}`
`228`	`228`	```
`229`	`229`
`230`		-Prevent downgrade attacks with [HTTP strict transport security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security). Add HSTS `"headers"` to `static.json`:
	`230`	`+#### Strict transport security (HSTS)`
	`231`	`+`
	`232`	+Prevent downgrade attacks with [HTTP strict transport security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security). Add HSTS `"headers"` to `static.json`.
	`233`	`+`
	`234`	+⚠️ Do not set HSTS headers if the app's hostname will not permantly support HTTPS/SSL/TLS. Once HSTS is set, switching back to plain HTTP will cause security errors in browsers that received the headers, until the max-age is reached. Heroku's built-in `herokuapp.com` hostnames are safe to use with HSTS.
`231`	`235`
`232`	`236`	```json
`233`	`237`	`{`