It was recently pointed out to me that the HSTS preloading doesn’t work on my website, and upon further investigation, there were two reasons for that.
Firstly; despite setting up HSTS preloading on my website when it was at https://www.rik.onl and writing a pretty detailed blog post about it, I neglected to re-do this when I moved to riklewis.com. If you don’t know what I mean by HSTS preloading, please read more about HSTS before reading on.
Secondly; I was previously unaware that you couldn’t direct from the insecure root address (http://riklewis.com) straight to the secure canonical address (http://www.riklewis.com) – you actually have to double hop, going first to the secure root address (https://riklewis.com). Otherwise when you try to preload your domain, you get an error like this…
When I first did this I created the redirects by adding them into the .htaccess file, but when I moved to riklewis.com I did it using Cloudflare Page Rules, which I’m quite a fan of these days. But my one rule that was redirecting to the secure canonical address would need to be split up to resolve this, and here’s what I came up with…
My two rules are as follows:
- Redirect from the insecure root address to the secure root address
- Redirect from the root address to the secure canonical address
Because only one Page Rule ever fires – the first that matches – this means that a user hitting http://riklewis.com will actually get two 301 responses before they finally land on https://www.riklewis.com. I’m not especially happy with this from a performance standpoint, but it’s required for security, which has to win out.
On the second visit to http://riklewis.com, due to the HSTS header, they’ll first get a 307 internal redirect, then the 301 permanent redirect, like this…
But the best news is that I’ve now successfully submitted my “new” domain to be HSTS preloaded:
Why don’t you do yours too? https://hstspreload.org