Shared publicly  - 
 
If you want your site to be in Chrome's HSTS preload list (aka, default to HTTPS), submit it here: http://bit.ly/1oq7JG0 - note that Firefox and Safari include Chrome's preload list... 3 for the price of 1! Great deal.

To learn more about HSTS: http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#_http_strict_transport_security_hsts
104
251
Jacob Taylor (Aranje)'s profile photoIlya Grigorik's profile photoTyler Larson's profile photoPaul Buonopane's profile photo
29 comments
 
+Ilya Grigorik Why does the submission form require that 301 redirects to HTTPS are also accompanied by a "Strict-Transport-Security" header? I thought HSTS headers were ignored when served over HTTP...
 
+Giacomo Pelagatti From that tool, no. As the last sentence of that page says, if you think you warrant special consideration, email.

Regarding redirects, the requirement is that the header come from the HTTPS connection. If the HTTPS connection redirects to another page, the target of the redirect must serve that header.
 
But wait, how does that scale? I thought so far only very high profile sites were hardcoded into the HSTS list.
 
+Ilya Konstantinov we'll make it scale -- that's not the problem. :)

+Giacomo Pelagatti in addition to what Ryan said, the 301 is required to provide secure experience to browsers that don't support HSTS. So, 301 from HTTP to HTTPS and serve STS header on the HSTS domain.
 
+Oliver Baker we were already looking into going the https route, but this might be a good way to do it as well. Thanks!
 
I've not heard of the 'preload' header value till now, not seen it mentioned anywhere else on the web as a possible value for the STS header. Is this some indication just for Chrome (or Googlebot) the value can be picked up and added to Chromes hard-coded list?  I.e. now Google promotes SSL sites any site sending long-lived STS headers with the preload flag will automatically get added to Chromes HSTS list?
 
+Sam Kelleher it's not a header, see here for more info: http://www.chromium.org/sts - if you want, in addition to using the STS header, you can submit your site to the preload list such that visitors get directly to HTTPS version of your site even with previously visiting it.
 
+Ilya Grigorik +Jacob Taylor Yes it was the 'preload' flag in particular. Up until now I've just had 'max-age=10886400; includeSubDomains;' as the header value on sites I operate, and then emailed Adam to add the site to Chromes HSTS list. The 'preload' flag is something new/undocumented; I don't know what it's use is. So I guessed that it was a signal to be used for auto-generating HSTS lists in the future.
 
The submission tool says (emphasis mine), "In order to be included, an entire site must be HTTPS only and must have valid certificates. That means that the site and all subdomains must be served over HTTPS."  Does this mean that the popular HTTP -> HTTPS redirect is not allowed? (Your previous comments here seem to indicate it is, but I'd like the documentation to be clear on this, because local security experts are thinking otherwise.)
 
if http->https redirect wasn't allowed, nobody using IE who hadn't previously visited would be able to touch your site :P they're not being that revolutionary :P
 
Can you make this page work on phones? There's no submit button! :) also the input field is pretty small.
 
How is validation done to assure that the party requesting inclusion on the list is authorized to do so for the specified domain(s)? Thanks.
 
If they don't have the preload tag in their https server headers, they probably fail validation. If they don't have control over the site, they wouldn't be able to put those headers in.
 
+Billy Crook as Jacob said, this is why we require an opt-in signal from the server, in the form of an HSTS header with "preload" directive. Believe me, I'd love to see "HTTPS everything" to be the default, but the sad reality is that today that still breaks major parts of the web, which is an obvious non-starter for any browser.
 
So I can add any site I want to the preload list as long as they have HTTPS enabled, right? The company in question doesn't have to want to be on the list?
 
+Tyler Larson no, only the site owner can opt-in into the preload list. This is why we require the preload token in the HTTP header.
 
+Billy Crook I can assure you that I can't add any random site to the list - the list is public and we have requisite review processes in place. 
 
+Billy Crook I looked in to it a bit closer; basically the idea is that you modify your site to reflect your desire to have your HSTS info preloaded (by adding a "preload" option to your HSTS header). That's the real way you opt-in. Submitting this form just notifies the team to go look at your site, otherwise they wouldn't know to check to see that you'd changed anything.
 
You should consider releasing this as a testing tool as well.  It'd be nice to check that HSTS is properly and thoroughly implemented on sites that aren't going to be preloaded or are already preloaded but might have had configuration changes.
Add a comment...