HSTS preloading (again)

It was recently pointed out to me that the HSTS preloading doesn’t work on my website, and upon further investigation, there were two reasons for that.

Firstly; despite setting up HSTS preloading on my website when it was at https://www.rik.onl and writing a pretty detailed blog post about it, I neglected to re-do this when I moved to riklewis.com.  If you don’t know what I mean by HSTS preloading, please read more about HSTS before reading on.

Secondly; I was previously unaware that you couldn’t direct from the insecure root address (http://riklewis.com) straight to the secure canonical address (http://www.riklewis.com) – you actually have to double hop, going first to the secure root address (https://riklewis.com).  Otherwise when you try to preload your domain, you get an error like this…

When I first did this I created the redirects by adding them into the .htaccess file, but when I moved to riklewis.com I did it using Cloudflare Page Rules, which I’m quite a fan of these days.  But my one rule that was redirecting to the secure canonical address would need to be split up to resolve this, and here’s what I came up with…

My two rules are as follows:

  1. Redirect from the insecure root address to the secure root address
  2. Redirect from the root address to the secure canonical address

Because only one Page Rule ever fires – the first that matches – this means that a user hitting http://riklewis.com will actually get two 301 responses before they finally land on https://www.riklewis.com.  I’m not especially happy with this from a performance standpoint, but it’s required for security, which has to win out.

On the second visit to http://riklewis.com, due to the HSTS header, they’ll first get a 307 internal redirect, then the 301 permanent redirect, like this…

But the best news is that I’ve now successfully submitted my “new” domain to be HSTS preloaded:

Why don’t you do yours too?  https://hstspreload.org