As per Saturn docs, to have HSTS in Saturn, one needs to specify force_ssl in the application:
application {
url ("http://0.0.0.0:" + port.ToString() + "/")
force_ssl
...
}
This works for the deployed version of the web, however it breaks local development. Server does not return responses, in the log it writes Request redirected to HTTPS and that's all.
Is it possible to force SSL and keep local dev convenient at the same time?
SAFE-stack assumes usage of webpack and webpack-dev-server and that works as a proxy to the real server which means one needs to do some adjustments there as well.
So the webpack config should now have https in the target of the proxy section:
devServer: {
proxy: {
'/api/*': {
target: 'https://localhost:<port>',
...
},
...
},
...
},
This is not enough - as per docs, to avoid security exceptions, one needs to unset secure flag:
devServer: {
proxy: {
'/api/*': {
target: 'https://localhost:<port>',
secure: false,
...
},
...
},
...
},
And the last thing is to modify server application accordingly:
application {
url ("https://0.0.0.0:" + port.ToString() + "/")
force_ssl
...
That should do it both for dev and prod versions of the web.