TRAFFIC
This means that there is a hard coded list
maintained by the browser teams, with a
long list of domain names that are all just
operating on HTTPS. If the domain name
typed into the address bar is in this list,
the browser does not make a connection
to the server, but instead redirects the user
straight away to the HTTPS version using a
307 (internal redirect) without making any
other request to the HTTP version. This acts
like a 301 redirect, except it is generated by
the browser instead of the server, and the
HTTPS version of the website now loads a
lot faster in the browser (a few milliseconds
instead of 100+ milliseconds) and redundant
HTTP redirects are avoided.
Submit for preloading
To qualify for HSTS preloading in
browsers, the website needs to adhere to the
following conditions:
● Use a valid SSL certificate;
● Redirect all HTTP requests to the
HTTPS version;
● All hostnames, including all
subdomains, need to serve content
from the HTTPS version;
● The naked domain needs to serve
the HSTS header, even when this
pattern redirects.
Here is an example of the most common
and valid HSTS header:
Strict-Transport-Security: max-age=63072000;
includeSubDomains; preload
It is considered best practice to always serve
the HSTS header with every request on the
HTTPS version. With Apache, this can be
accomplished in the .htaccess file of the
HTTPS root directory:
Header set Strict-Transport-Security “max-
age=63072000; includeSubDomains; preload”
Figure 8: Testing and submitting for HSTS preloading
Caveat
There is one major caveat to be aware of
before submitting the domain name for
HSTS preloading to browsers, and this is
that it is hard to go back. Once submitted
and approved for HSTS preloading, the
domain name is added to new and future
browser updates.
If the domain name is removed again,
upon request by the site owner, it can take
months before browsers have processed
this and years before most of the browser
users have upgraded their browser to the
latest version (consider how long IE6 was
still used after it was no longer supported
by Microsoft). During this time, browsers
still using the preload list with the domain
name will be unable to access any URLs
of the unsecure HTTP version and
upgrade these to the HTTPS version.
It’s important that you make an
informed decisi