[zalmoxes]

Google has changed this almost a year ago

> Turn on SafeSearch VIP To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.

>We will serve SafeSearch Search and Image Search results for requests that we receive on this VIP.

You can enforce safe search over https now https://support.google.com/websearch/answer/186669?hl=en

[mrb]

I used to work at Google, and I confirm the parent is correct. Things work this way so that schools can force safe search, while keeping HTTPS.

[nsgi]

However, this means that schools can't see what pupils search for, and that any network operator can force safe search.

[mikecb]

Schools almost ubiquitously use SSL -decrypting dpi devices with the device root installed on endpoints, bypassing both HSTS and HPKP.