Preload HSTS

Question

Preload HSTS

Opened this issue 4 years ago · 4 comments

HSTS should be preloaded https://hstspreload.org/?domain=isbgpsafeyet.com

Answer 1 · 2020-05-05T20:27:31.000Z

It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest
It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.

Answer 2 · 2020-05-05T20:30:07.000Z

It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest
It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.

It's not preloaded, max age needs to be 31536000 and then the domain needs to be submitted via https://hstspreload.org

Answer 3 · 2020-07-06T16:36:19.000Z

It is true, I'm talking about preloading as explained in the title and the comment you quoted.

Yes you can have HSTS without it being preloaded but to be preloaded you need the requirements which I said. I don't see how you think it's stupid, if an attacker wanted to MITM a user and they have never visited the website before then they could as the first request will be using HTTP unless you have an extension like HTTPS Everywhere.

Answer 4 · 2020-07-06T16:40:26.000Z

This is IMHO, very improbable. Anyway, next time when the site will be visited, it will be redirected to https and then HSTS'd foreVa!

Not forever, it follows the max-age in the HSTS header.

However improbable you think it is I don't find a reason for this not to be preloaded, unless Cloudflare feels like it might lose HTTPS compatibility in the future.