[mseebach]

You should definitely use HSTS, but I think this is about catching those people entering "website.com" in their browser, where the default behaviour (having never visited the site before) is connecting via HTTP. You want those redirected to a HSTS enabled HTTPS connection immediately, and this seems to be a good place to put this functionality?

[bjpbakker]

> catching those people entering "website.com"

When the domain is registered to use HSTS their browser will use a TLS connection the first time they ever connect to your website.

> You want those redirected to a HSTS enabled HTTPS connection immediately

Websites that depend on advertising probably do as they often want to support very old browsers. Otherwise there's no real need for a redirect/connection upgrade IMO.

[nailer]

First time a client connects it'll be HTTP. Then they'll see the HSTS header. Subsequent connections will be HTTPS

[bjpbakker]

That's why there is the HSTS preload list [0], so that browsers can know this before making the HTTP request.

If you don't want to add your domain to the preload list, you will have to (automatically) redirect/upgrade users to HTTPS, or bounce them.

[0] - https://hstspreload.org/

[merb]

> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.

[bjpbakker]

In the second part of that sentence:

> if you are listening on port 80

You don’t have to accept trafic on the http port for HSTS preloading. But iff you do you must redirect it.

This rule makes sense; at least you should never serve content over http.

[gjs278]

not everyone's browser has that list. if you turn off port 80, at no point will the browser that doesn't have this list be able to connect to your website.