[bjpbakker]

> catching those people entering "website.com"

When the domain is registered to use HSTS their browser will use a TLS connection the first time they ever connect to your website.

> You want those redirected to a HSTS enabled HTTPS connection immediately

Websites that depend on advertising probably do as they often want to support very old browsers. Otherwise there's no real need for a redirect/connection upgrade IMO.

[nailer]

First time a client connects it'll be HTTP. Then they'll see the HSTS header. Subsequent connections will be HTTPS

[bjpbakker]

That's why there is the HSTS preload list [0], so that browsers can know this before making the HTTP request.

If you don't want to add your domain to the preload list, you will have to (automatically) redirect/upgrade users to HTTPS, or bounce them.

[0] - https://hstspreload.org/

[merb]

> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.

[bjpbakker]

In the second part of that sentence:

> if you are listening on port 80

You don’t have to accept trafic on the http port for HSTS preloading. But iff you do you must redirect it.

This rule makes sense; at least you should never serve content over http.

[gjs278]

not everyone's browser has that list. if you turn off port 80, at no point will the browser that doesn't have this list be able to connect to your website.

[bjpbakker]

Except for Opera Mini and UC (Android), all modern browsers do. That’s over 85% of global usage. [0]

[0] https://caniuse.com/#feat=stricttransportsecurity