HSTS across API Gateway, ALB, and CloudFront

Your distributed AWS architecture might have a security blind spot you don't even know about.

That first HTTP request—the one before the browser gets redirected to HTTPS? It's a window. An attacker can slip in, intercept, and strip away the SSL layer entirely. It's called SSL stripping, and redirects alone won't stop it.

HSTS (HTTP Strict Transport Security) closes that window by forcing the browser to HTTPS before any network traffic happens. But here's the problem: if you're running APIs on API Gateway, content on CloudFront, and web apps behind Application Load Balancers, you've got three different services, three different ways to configure HSTS, and probably three different security postures.

AWS just made this less painful.

API Gateway now lets you inject HSTS headers through response parameter mapping (HTTP APIs) or Lambda functions / mapping templates (REST APIs).

Application Load Balancers have built-in header modification. One config per listener. Done.

CloudFront lets you attach response header policies at the edge. Global enforcement. No origin changes needed.

Start small. Use a 5-minute max-age while you test. Move to 1 day, then 30 days, then the full year once you're confident. Include subdomains. Consider preloading if you want maximum coverage (though that's a long-term commitment).

Defense in depth isn't about one layer. It's about stacking them so that when one fails, the others catch it. HSTS is one of those layers.