HSTS Preload and .app
What is HSTS?
"HTTPS" (SSL) is a way to encrypt your site's connection. It ensures the link between your webserver and browser is secure. In Chrome, it shows a little green padlock in the corner of your URL bar. HSTS takes online security a step further. It is a way to require sites to have an HTTPS connection, by maintaining a special list known as the HSTS Preload List. Anyone can submit their site to the list, which tells every modern browser: “insecure HTTP is disabled for this domain.” Sites that don't have HTTPS will not load.
What makes .app unique is Google has added the entire .app zone to the HSTS Preload List, no exceptions allowed. If you have registered a .app domain, that domain is already on the list.
What does this mean for my .app domain?
Because all .app domains are automatically added to the HSTS Preload List, you will need to have a SSL certificate for them to be viewable. Otherwise, the browser won't load the page, and give a “insecure HTTP is disabled for this domain” message.
Not to worry! Porkbun already offers free SSL Let's Encrypt Certificates to all our users. If you’re hosting your .app site via our site builder or shared hosting package, HTTPS is automatic; you don’t have to do a thing! You can even use your Porkbun certificate with a third-party host. More information on using our SSL can be found here. Already purchased a traditional certificate? That works, too.
What if I don't have a .app domain, but would like to use HSTS?
You can use HSTS too! You will just need to submit your domain to the HSTS Preload list, and meet the other requirements (such as using a SSL certificate). For more information on those requirements, and to add your domain to the list, you can visit the site here.