HSTS Preload and Google Registry

What is HSTS? 

In order to understand HSTS (HTTP Strict Transport Security), you first need to understand a little about HTTPS. HTTPS (or SSL) encrypts your site's connection with visitors. Having an SSL certificate creates that little padlock icon in the corner of your URL bar, confirming a secure connection to the site you're visiting:

HSTS takes that security a step further. The HSTS Preload List is a security feature that forces browsers visiting the website of an enrolled domain to encrypt the connection. Anyone can submit their domain to the list. Sites that don't have a valid HTTPS certificate will not load, thwarting potential man-in-the-middle attacks.

It's also possible to add an entire top-level domain to the HSTS Preload list. Google Registry debuted several top-level domains, including .app, .day, .dev, .page, and .new, which were added to the HSTS Preload List before their launch. That means if you register a .app domain, that domain is automatically on the list and cannot be removed. 

What does this mean for my Google Registry domain?

Because many Google Registry top-level domains were added to the HSTS Preload List, a .dev domain, for example, will need to have an SSL certificate for the website to be viewable. Otherwise, the browser won't load the page and gives an “HTTP is disabled for this domain” message. 

Not to worry! Porkbun already offers free SSL certificates to all of our users. If you’re hosting your .dev site at Porkbun, or using our URL forwarding service, HTTPS is automatic; you don’t have to do anything!

You can even use your Porkbun certificate with a third-party host. More information on using our SSL can be found here. Already purchased a traditional certificate? That works too, as long as a valid HTTPS connection is being made to your site.

What if I don't have a Google Registry domain but would like the added security of HSTS?

You can add any domain you own to the HSTS Preload list! You will just need to submit your domain to the list and meet the other requirements (such as using a valid SSL certificate). For more information on those requirements, and to add your domain to the list, you can visit the site here.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.