HSTS preload list achievement unlocked

Happy days! With the release of Chrome 61 paranoidpenguin.net was finally added to Chrome’s preloaded HSTS list. This means that the Chrome browser will always connect to paranoidpenguin.net and subdomains using HTTPS. Most major browsers are also using the Chrome HSTS preload list, so future benefits are not limited to Chrome users only.

I’ve been a bit slow to comply with the HSTS preload requirements as this site is currently hosted on a subdomain (blog). I’m also guilty of previously using a multi-level subdomain structure so I needed to make amends for old mistakes. To serve all my subdomains over HTTPS I had to get rid of the old 301 redirect pointing all virtual hosts directly to the blog subdomain on port 443 (HTTPS).

The new structure is as follows:

# domain = paranoidpenguin.net
http://www.blog.domain => https://www.blog.domain
http://www.domain => https://www.domain
http://domain => https://domain

After redirecting the alternate domains to HTTPS there will be a a final 301 redirect to my preferred blog subdomain. Unfortunately this amounts to an extra round-trip for browsers not supporting HSTS.

Anyhow, let’s use Chrome DevTools network panel to investigate how the browser handles a plain HTTP request to my old multi-level subdomain (www.blog) on port 80.

Chrome HSTS Preload
Chrome performing a 307 internal redirect according to HSTS Policy.

As seen on the image above, Chrome does an internal 307 redirect using the preloaded HSTS list before connecting to the requested domain over HTTPS. No plain HTTP connection was ever made to the remote server. Pretty awesome me thinks.

To join the HSTS preload list you may simply add your submission to hstspreload.org. Be advised though that after inclusion Chrome will no longer accept plain HTTP connections to your domain or subdomains.