My registrar had an offer on domains so I figured I'd grab one and test out the HSTS preload process as it currently stands. I want to track how easy it is to preload and how long it takes for full browser coverage in vendor preload lists.
What's preloading?
HSTS, or HTTP Strict Transport Security, is a simple HTTP response header that sites can issue to tell a browser that it must only ever use HTTPS to communicate with the site. I have a blog explaining HSTS in detail, HSTS - The missing link in Transport Layer Security, if you'd like some more information and a longer article on HSTS Preloading too. The only problem with HSTS is that the browser has to visit your site in order to get the header. This is known as the TOFU problem (Trust On First Use problem, nothing to do with food!). If a user has never been to your site, they won't know about HSTS. This is what HSTS Preloading solves. You can actually have your site put on a list that is built in to the browser and marked as 'HTTPS only'. That way, even if a visitor has never been to your site before, the browser will know to only ever use HTTPS to communicate.
HSTS preloading your site
Getting your site on the HSTS Preload list is actually really easy. If you already have HSTS enabled you will be issuing the HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
To be eligible for preloading all you need to do is add the preload
token to your header. This indicates that you want to be preloaded:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Once you have the preload token in place, you can request to be submitted by going to https://hstspreload.appspot.com/
On here, simply input your domain and check your status and eligibility for preloading:
If you get any warnings or errors then you will need to resolve those before you can submit your site to the preload list, but once you're all set, you can hit the big Submit button:
That's it!
Why the test?
I wanted to see how quickly this preload will now propagate through all of the browsers that support HSTS preloading and draw from the Chromium list. That should be Chrome, Opera, Firefox, Safari and Edge I believe (comments below if I'm wrong). I will keep track of the preload status in all browsers and any help would be appreciated if you can check for me and give me a heads up!
hsts-preload-test.xyz submitted 11:00 UTC 22 June 2016
Browser | HSTS Preloaded | Date Checked |
---|---|---|
Chrome | Yes | 02 Sep 2016 |
Opera | Yes | 28 Sep 2016 |
Firefox | Yes | 28 Sep 2016 |
Safari | No | 22 Jun 2016 |
Edge | No | 22 Jun 2016 |
Updates:
Jun 30th 2016 - Tracking changes to the Chromium preload list I can see the domain was added in this commit. It will be available in Chrome v53.
Sep 2nd 2016 - Chrome v53 has landed and the test domain is now HSTS preloaded!
Sep 2nd 2016 - The test domain is now listed in the Firefox HSTS Preload list.