Hacker News new | ask | show | jobs
by nailer 2944 days ago
First time a client connects it'll be HTTP. Then they'll see the HSTS header. Subsequent connections will be HTTPS
1 comments
bjpbakker 2944 days ago
That's why there is the HSTS preload list [0], so that browsers can know this before making the HTTP request.

If you don't want to add your domain to the preload list, you will have to (automatically) redirect/upgrade users to HTTPS, or bounce them.

[0] - https://hstspreload.org/

link
merb 2944 days ago
> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.

link
bjpbakker 2944 days ago
In the second part of that sentence:

> if you are listening on port 80

You don’t have to accept trafic on the http port for HSTS preloading. But iff you do you must redirect it.

This rule makes sense; at least you should never serve content over http.

link
gjs278 2944 days ago
not everyone's browser has that list. if you turn off port 80, at no point will the browser that doesn't have this list be able to connect to your website.
link
bjpbakker 2944 days ago
Except for Opera Mini and UC (Android), all modern browsers do. That’s over 85% of global usage. [0]

[0] https://caniuse.com/#feat=stricttransportsecurity

link
gjs278 2944 days ago
https://www.reddit.com/r/AskNetsec/comments/6mo4lt/how_long_...

checkmate

link