Opened 6 years ago

Last modified 3 years ago

#1194 new change

Submit to be included in Chrome's HSTS preload list

Reported by: greiner Assignee:
Priority: P3 Milestone:
Module: Infrastructure Keywords:
Cc: fhd, matze Blocked By: #1543
Blocking: Platform: Chrome
Ready: yes Confidential: no
Tester: Verified working: no
Review URL(s):



The Chrome team provides a form which allows domain owners to submit their sites for inclusion in a list that tells the browser that the site is HTTPS-only. According to them "Firefox and Safari also have a preloaded list which feeds from the Chrome list."

What to change

  • All pages on (including subdomains) have to use HTTPS for a successful inclusion so check whether there are any pages which are running on plain HTTP.
  • If that is the case, make sure that they will also work fine when using HTTPS and make them use HTTPS after that.
  • Modify the Strict-Transport-Security for any pages on (including subdomains) to include includeSubDomains and preload tags and a max-age tag with a value larger than 10886399.
  • Make sure that any redirects also include the Strict-Transport-Security header.
  • Go to and submit for inclusion in the list.

Change History (4)

comment:1 Changed 6 years ago by trev

  • Blocked By 51 added
  • Ready set

This is blocked by #51 - is currently the only subdomain without HTTPS support. We cannot turn HTTPS on as long as we don't host it.

comment:2 Changed 6 years ago by matze

  • Cc matze added

comment:3 Changed 6 years ago by trev

  • Blocked By 1543 added; 51 removed

comment:4 Changed 3 years ago by fhd

  • Cc trev removed
Note: See TracTickets for help on using tickets.