[bjpbakker]

That's why there is the HSTS preload list [0], so that browsers can know this before making the HTTP request.

If you don't want to add your domain to the preload list, you will have to (automatically) redirect/upgrade users to HTTPS, or bounce them.

[0] - https://hstspreload.org/

[merb]

> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.

[bjpbakker]

In the second part of that sentence:

> if you are listening on port 80

You don’t have to accept trafic on the http port for HSTS preloading. But iff you do you must redirect it.

This rule makes sense; at least you should never serve content over http.

[gjs278]

not everyone's browser has that list. if you turn off port 80, at no point will the browser that doesn't have this list be able to connect to your website.

[bjpbakker]

Except for Opera Mini and UC (Android), all modern browsers do. That’s over 85% of global usage. [0]

[0] https://caniuse.com/#feat=stricttransportsecurity

[gjs278]

https://www.reddit.com/r/AskNetsec/comments/6mo4lt/how_long_...

checkmate