HSTS Preload and Google Registry
What is HSTS?
In order to understand HSTS, you first need to understand a little about HTTPS. HTTPS (or SSL) encrypts your site's connection with visitors. In Chrome, it shows a little padlock icon in the corner of your URL bar. HSTS takes that security a step further.
The HSTS Preload List is a security feature that forces browsers visiting the website of an enrolled domain to encrypt the connection. Anyone can submit their domain to the list. Sites that don't have a valid HTTPS certificate will not load, thwarting most man-in-the-middle attacks.
It's also possible to add an entire top-level domain to the HSTS Preload list. Google Registry debuted several top-level domains, including .app, .day, .dev, .page, and .new, which were added to the HSTS Preload List before their launch. So, if you register a .app domain, that domain is automatically on the list and cannot be removed.
What does this mean for my Google Registry domain?
Because many Google Registry top-level domains were added to the HSTS Preload List, a .dev domain, for example, will need to have an SSL certificate for the website to be viewable. Otherwise, the browser won't load the page and gives an “insecure HTTP is disabled for this domain” message.
Not to worry! Porkbun already offers free SSL certificates to all of our users. If you’re hosting your .day site at Porkbun, or using our URL forwarder, HTTPS is automatic; you don’t have to do anything!
You can even use your Porkbun certificate with a third-party host. More information on using our SSL can be found here. Already purchased a traditional certificate? That works, too.
What if I don't have a Google Registry domain but would like the added security of HSTS?
You can add any domain you own to the HSTS Preload list! You will just need to submit your domain to the list and meet the other requirements (such as using an SSL certificate). For more information on those requirements, and to add your domain to the list, you can visit the site here.