HSTS Preload and Google Registry
What is HSTS?
In order to understand HSTS, you first need to understand a little about HTTPS.HTTPS (or SSL) encrypts your site's connection with visitors. In Chrome, it shows a little green padlock in the corner of your URL bar. HSTS takes that security a step further.
HSTS requires sites to use an HTTPS connection by maintaining a special list known as the HSTS Preload List. Anyone can submit their site to the list, which tells every modern browser: “insecure HTTP is disabled for this domain.” Sites that don't have a valid HTTPS certificate will not load, thwarting most man-in-the-middle attacks.
The current Google Registry TLDs are: .app, .day, .dev, .page, .new, .how, .soy, and the IDN .xn--q9jyb4c. What makes Google Registry domains unique is that Google has added its entire top level domains to the HSTS Preload List, with no exceptions. So, if you have registered a .app domain, for instance, that domain is automatically on the list and cannot be removed.
What does this mean for my Google registry domain?
Because all Google Registry domains are automatically added to the HSTS Preload List, you will need to have an SSL certificate for their websites to be viewable. Otherwise, the browser won't load the page and give an “insecure HTTP is disabled for this domain” message.
Not to worry! Porkbun already offers free SSL Let's Encrypt Certificates to all our users. If you’re hosting your .app site via our site builder or shared hosting package or using our URL forwarder, HTTPS is automatic; you don’t have to do anything!
You can even use your Porkbun certificate with a third-party host. More information on using our SSL can be found here. Already purchased a traditional certificate? That works, too.
What if I don't have a Google Registry domain but would like the added security of HSTS?
You can use HSTS too! You will just need to submit your domain to the HSTS Preload list and meet the other requirements (such as using an SSL certificate). For more information on those requirements and to add your domain to the list, you can visit the site here.