[sjwright]

Not being able to serve HTTPS is not a real concern. It seems possible but in reality it simply won’t happen. If it ever does break, you fix it, you don’t change protocols.

Once you go HTTPS you’re all in regardless whether or not you’ve set HSTS headers. Let’s say your HTTPS certificate fails and you can’t get it replaced. So what, you’re going to temporarily move back to HTTP for a few days? Not going to happen! Everyone has already bookmarked/linked/shared/crawled your HTTPS URLs. There is no automated way to downgrade people to HTTP, so only the geeks who would even think to try removing the “s” will be able to visit. And most geeks won’t even do that because we’ve probably never encountered a situation where that has ever helped.

[SquareWheel]

It happened to me. I served my site over TLS and used HSTS. Hosting got expensive, so I rebuilt my site on Github Pages and hosted there. It was another year and a half before they rolled out HTTPS for custom domains.

In that case, old visitors were rejected due to the policy. I wish I had set a lower duration.

[sjwright]

> old visitors were rejected due to the policy

Also because their links and bookmarks would have all failed.

[shawnz]

But HSTS also blocks the workaround of "just Google it and find the page again"

[LinuxBender]

You can use the webmaster tools on Google to fix the indexing. It takes a few days, but worth the effort.

[MichaelApproved]

The issue is that the browser won't let you visit the insecure URL, regardless of how you get to it.

It won't work because the HSTS setting the visitor got months ago told it not to.

[LinuxBender]

That is exactly what I am talking about.

In the webmaster tools, you want to get google to remove all references to the non https versions. Ensure https is up on all URL's, then use their tools to re-index everything and remove all references to http://

Are you saying you can't set up https on some of your URL's?