Testing the HSTS preload process

My registrar had an offer on domains so I figured I'd grab one and test out the HSTS preload process as it currently stands. I want to track how easy it is to preload and how long it takes for full browser coverage in vendor preload lists.

 

What's preloading?

HSTS, or HTTP Strict Transport Security, is a simple HTTP response header that sites can issue to tell a browser that it must only ever use HTTPS to communicate with the site. I have a blog explaining HSTS in detail, HSTS - The missing link in Transport Layer Security, if you'd like some more information and a longer article on HSTS Preloading too. The only problem with HSTS is that the browser has to visit your site in order to get the header. This is known as the TOFU problem (Trust On First Use problem, nothing to do with food!). If a user has never been to your site, they won't know about HSTS. This is what HSTS Preloading solves. You can actually have your site put on a list that is built in to the browser and marked as 'HTTPS only'. That way, even if a visitor has never been to your site before, the browser will know to only ever use HTTPS to communicate.

 

HSTS preloading your site

Getting your site on the HSTS Preload list is actually really easy. If you already have HSTS enabled you will be issuing the HSTS header:

 

Strict-Transport-Security: max-age=31536000; includeSubDomains

 

To be eligible for preloading all you need to do is add the preload token to your header. This indicates that you want to be preloaded:

 

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

 

Once you have the preload token in place, you can request to be submitted by going to https://hstspreload.appspot.com/

 

hsts preload site

 

On here, simply input your domain and check your status and eligibility for preloading:

 

check status

 

If you get any warnings or errors then you will need to resolve those before you can submit your site to the preload list, but once you're all set, you can hit the big Submit button:

 

submitted to the list

 

That's it!

 

Why the test?

I wanted to see how quickly this preload will now propagate through all of the browsers that support HSTS preloading and draw from the Chromium list. That should be Chrome, Opera, Firefox, Safari and Edge I believe (comments below if I'm wrong). I will keep track of the preload status in all browsers and any help would be appreciated if you can check for me and give me a heads up!

 

hsts-preload-test.xyz submitted 11:00 UTC 22 June 2016

 

BrowserHSTS PreloadedDate Checked
ChromeYes02 Sep 2016
OperaYes28 Sep 2016
FirefoxYes28 Sep 2016
SafariNo22 Jun 2016
EdgeNo22 Jun 2016

 

Updates:

Jun 30th 2016 - Tracking changes to the Chromium preload list I can see the domain was added in this commit. It will be available in Chrome v53.

Sep 2nd 2016 - Chrome v53 has landed and the test domain is now HSTS preloaded!

Sep 2nd 2016 - The test domain is now listed in the Firefox HSTS Preload list.

 

Scott.
Short URL: https://scotthel.me/hpt

 

Author image
About Scott
Researcher, blogger and international speaker. I'm the creator of report-uri.io and securityheaders.io, free tools to help improve online security.