www canonical URL and HSTS (OPS.2)
Single canonical host for the marketing/product site: https://ehxlabs.xyz (apex). Documentation: https://docs.ehxlabs.xyz.
www redirect
Option A — Cloudflare (recommended)
- DNS:
wwwCNAME → apex or Page Rule / Redirect Rule:www.ehxlabs.xyz/*→https://ehxlabs.xyz/$1(301).
Option B — Caddy on origin
Add a site block (only if www DNS also points at this host):
www.ehxlabs.xyz {
redir https://ehxlabs.xyz{uri} permanent
}
HSTS checklist (enable only after full HTTPS verification)
- Apex and
docsserve valid TLS (no mixed content). - All asset URLs use
https://. -
wwwredirects to apex (no duplicate cookies). - Staging uses a different hostname (do not copy prod HSTS max-age to staging prematurely).
Caddy example (after checklist):
ehxlabs.xyz {
encode gzip zstd
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# ... existing handlers
}
includeSubDomains affects docs.ehxlabs.xyz — confirm docs host is stable before enabling.
Cookie scope
- Session cookies should use
Domainappropriate for apex-only or host-only policy documented in auth milestones. - Avoid setting cookies on both
wwwand apex during migration.
Verification
curl -sI https://www.ehxlabs.xyz | head -5
curl -sI https://ehxlabs.xyz | grep -i strict-transport