What is the HSTS Preload List for Chrome? How to Add Domain to HSTS Preload List?

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...
HSTS Preload List

In today’s time, where cyber threats are increasingly at a fast phase, it has become paramount for both individuals and organizations alike to ensure encryption and protection of web connections. In order to achieve this, the HTTP Strict Transport Security Preload List can be used. 

But are you aware of the HSTS preload list? As in, what it is and how to add a domain to this list? If it’s unfamiliar- fret not! We will explain the HSTS Preload List and how to add a domain to it in this article.

What is the HSTS Preload List for Chrome?

The HSTS Preload List is a cross-browser security feature introduced in RFC 6797 in 2012. The primary objective of the HSTS Preload list is to ensure that web connections are made over a secure HTTPS channel. It is achieved by enforcing HTTPS on sites before a browser even connects to them.

Google manages the HTTP Strict Transport Security list, and popular web browsers like Internet Explorer, Mozilla Firefox, etc., utilize it.

Recommended: What is HSTS Certificate and How to Enable It?

Apart from the domains, the top levels domains can also be incorporated in the HTTP Strict Transport Security preload list.

And, if a registry ever plans to add its extension to the HSTS preload list, all the domains that are registered under that top level domain will be served over HTTPS. .insurance and .bank are the very first extensions that use the HTTP Strict Transport Security preload list.

Apart from this, Google Registry have also incorporated .dev and .app to the HSTS preload list. 

Some Key Components of the HSTS Strict Transport Security Preload List:

  • Max-age: Defines the duration (in seconds) for which the HSTS policy remains in effect.
  • includeSubDomains: Demonstrates whether the HSTS policy applies to subdomains.
  • Preload: A directive allowing websites to be included in browsers’ preload lists for improved security.

How to Add a Domain to the HSTS Preload List?

Prior to submitting a domain to the HSTS preload list, understanding the essential criteria for inclusion is crucial. Here are the requirements that the site must fulfil to be accepted to the HSTS preload list:

Certificate and HTTPS Configuration:

  • Valid Certificate: The site must serve a valid SSL cert (X.509 certificate).
  • HTTP to HTTPS Redirect: HTTP traffic must be redirected to HTTPS on the same host, mainly if operated on port 80.
  • Subdomain HTTPS Support: All subdomains, including internal ones, must be operated over HTTPS. Support for the www subdomain is obligatory if a DNS record exists.

HSTS Header Specification:

  • Max-Age: The max-age directive in the HSTS header must be at least 31536000 seconds (1 year).
  • IncludeSubDomains Directive: The includeSubDomains directive must be specified.
  • Preload Directive: The preload directive must be specified.

Note: Website owners must ensure continuous compliance with submission requirements. Negligence to do so may result in expulsion from the preload list.

Now that we know the requirements let’s explore – how to add a domain to the HTTP Strict Transport Security preload list.

Follow the Steps to add a domain to the HSTS Preload List:

  1. Ensure all your sites have valid SSL certificate and utilize up-to-date encryption cyphers.
  2. Redirect any HTTP traffic to HTTPS to secure all requests.
  3. Confirm that the above conditions are met across all domains and subdomains, as defined in your Domain Name System records.
  4. Over HTTPS, your base domain should offer a Strict-Transport-Security header with a minimum max-age of 31536000 seconds (1 year). It should also include both includeSubDomains and preload directives.
  5. Visit the website hstspreload.org and use the provided form to submit your domain for inclusion. Upon verification that your domain meets these prerequisites, it will be placed in line for addition to the list.

Conclusion

Secure your website’s future and enhance user trust by adding your domain to the HSTS Preload List today. By ensuring all connections to your site are encrypted and protected, you boost security and improve your site’s credibility.

Start by taking the first step now by visiting hstspreload.org and submitting your domain. Act now — elevate your web security and user trust to the next level!

Recommended: How to Disable HSTS in Chrome & Firefox?

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.