HSTS Preload List: submit your domain, improve user security
HTTPS ensures data is transmitted securely, but HSTS takes online security a step further. By submitting your HTTPS encrypted website to a special HSTS Preload List, you’ll prevent browsers from making insecure HTTP connections. Here's how it works.
HSTS ensures secure HTTPS connections
Google has long pushed to make all websites HTTPS-encrypted by default, providing regular updates to show how close it is to realizing its goal of a 100 percent encrypted Internet. Now, with its .APP domain, Google (the domain registry for .APP) is taking its efforts one step further by making .APP the first domain to be implemented into the Preload List for sites that support HSTS, HTTPS Strict Transport Security.
The HSTS Preload List includes a list of hostnames for which browsers automatically enforce HTTPS-secured connections. Browsers will avoid making insecure connections to the sites included in the list. Once a browser receives a site’s HSTS, it updates the list, preventing potential HTTP connections from occurring in the future. The list includes domains, subdomains, and entire TLDs.
Any .APP domain will be HSTS supported by default so won’t have to be entered into the list individually. But that doesn’t mean you won’t still need an SSL certificate for your .APP domain to load in a browser. You do. Without a valid certificate, your website won’t load.
Add HSTS to your website
.APP domain names, designed primarily for app developers and publishers (though anyone can register one), are unique in that they have HSTS built into them. And with SSL increasingly a requirement, there is speculation that we could see more and more TLDs become HSTS-preloaded.
But, even if your domain isn’t HSTS preloaded, you can still request to have your website added to the list, ensuring that it is always served over HTTPS.
GlobalSign, our Certificate Authority, reports that to be eligible for the HSTS Preload List, you will need to:
- Have a valid SSL Certificate. All subdomains must be covered in your SSL Certificate so you’ll need to add a Wildcard. You can order a Wildcard with your Alpha, Domain Validation, or Organisation Validation certificate, all of which are available at EuroDNS.
- Redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect.
- Serve an HSTS header on the base domain for HTTPS requests.
- Max-age must be at least 10886400 seconds or 18 Weeks.
- The includeSubDomains directive must be specified if you have them.
- The preload directive must be specified.
You'll end up with an HSTS header that tells a browser not to connect with an HTTP port. It will look something like this:
Strict-Transport-Security:
max-age=63072000; includeSubDomains; preload
More specific information can be found at hstspreload.org.
Being insecure no longer an option
With little additional effort, you can take advantage of HSTS preloading. You’ll provide users with further peace of mind because they’ll know they’re visiting a site that is HTTPS encrypted, i.e. safe and secure. And with browsers now regularly issuing security warnings like the one below, you need to show your users that you take their security seriously.
For more information about SSL certificates, Wildcards, or .APP domain registration, visit our site or get in touch with a member of our Sales department (+352 263 725 250 or sales@eurodns.com). They'll be happy to provide you with more information!