HTTPS is everywhere. Right up until the moment it isn’t.
Most APIs work perfectly fine without HSTS. Requests go through, tests pass, dashboards stay green. And that’s exactly why teams forget it exists. Nothing breaks. Nothing screams. Nothing fails.
What Rentgen does here is brutally simple: it checks whether an HTTPS endpoint actually sends the Strict-Transport-Security header. If it’s missing, Rentgen marks it as a warning. Not a failure. A warning.
Because without HSTS, HTTPS is negotiated, not enforced. On first contact, or in downgrade scenarios, clients may still accept HTTP. That’s how SSL stripping and “it worked on public Wi-Fi” stories begin. Quietly. Invisibly.
This isn’t always catastrophic. Many APIs are server-to-server, mobile-only, or hardcoded to HTTPS. In those cases, missing HSTS might be acceptable. But it should be a decision, not an accident.
That’s why Rentgen doesn’t fail your API for this. It forces the uncomfortable question: do we rely on HTTPS by assumption, or by enforcement?
Missing HSTS won’t crash your system. It won’t fail CI. It won’t wake anyone up at night. But it removes a layer designed to prevent silent downgrade in exactly the environments where things go wrong.
Forgotten security is the most dangerous kind.
Full story and details here:
👉 https://rentgen.io/api-stories/hsts-strict-transport-security.html
Top comments (0)