3

I have a website like https://www.example.com. I need to force all users visiting my site to use HTTPS connections.

I thought about HSTS but I don't know how to add my site to the preload entries of browsers (browsers will only allow HTTPS access to domains in their preload lists) in their next versions. Is there any site, or person, where I can register?

I know about it is possible to enforce HTTPS for a website manually to my browser, but I need my site to be "preloaded" for all users.

Jedi
  • 3,936
  • 2
  • 24
  • 42
Andiana
  • 133
  • 2
  • 1
    In the fact, https only config just make browser connection to my browser with https-only mode. But it isn't prevent user from MITM (Man in the middle) attack. I need my site to be in HSTS preload entries of famous browsers. – Andiana Jul 14 '16 at 02:31
  • Related posts [from here](https://security.stackexchange.com/questions/112493/hsts-on-a-subdomain-with-includesubdomains/) and [from Webmasters SE](https://webmasters.stackexchange.com/questions/71291/do-i-need-a-wildcard-ssl-certificate-for-inclusion-in-the-hsts-preload-list) that cover policies regarding subdomains (in case it applies). – Jedi Jul 14 '16 at 02:58

1 Answers1

3

All major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) use an HSTS preload list of Chromium.

You can check the eligibility and register the website to be included in the HSTS preload list on the https://hstspreload.org/ page.

As of today, the requirements are:

  1. Have a valid certificate.
  2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
  3. Serve all subdomains over HTTPS.
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
  4. Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least 31536000 seconds (1 year).
    • The includeSubDomains directive must be specified.
    • The preload directive must be specified.
    • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
nobody
  • 11,341
  • 2
  • 41
  • 60
techraf
  • 9,149
  • 11
  • 44
  • 62