Preload HSTS

[FozzieHi]

HSTS should be preloaded https://hstspreload.org/?domain=isbgpsafeyet.com

[Displax]

It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest
It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.

[FozzieHi]

It is preloaded actually: https://dev.ssllabs.com/ssltest/analyze.html?d=isbgpsafeyet.com&s=104.18.12.88&latest
It just displays that it's half a year (15552000) instead of a whole (31536000). But It's enough, i think.

It's not preloaded, max age needs to be 31536000 and then the domain needs to be submitted via https://hstspreload.org

[FozzieHi]

It is true, I'm talking about preloading as explained in the title and the comment you quoted.

Yes you can have HSTS without it being preloaded but to be preloaded you need the requirements which I said. I don't see how you think it's stupid, if an attacker wanted to MITM a user and they have never visited the website before then they could as the first request will be using HTTP unless you have an extension like HTTPS Everywhere.

[FozzieHi]

This is IMHO, very improbable. Anyway, next time when the site will be visited, it will be redirected to https and then HSTS'd foreVa!

Not forever, it follows the max-age in the HSTS header.

However improbable you think it is I don't find a reason for this not to be preloaded, unless Cloudflare feels like it might lose HTTPS compatibility in the future.