HSTS Preload List Commitment

If your site is now running on https protocol, you might be tempted for inclusion into the Chrome's HSTS Preload List.

Being included in Chrome HSTS Preload List means Chrome and other major browsers will only opened your site and all of its subdomain with https only.

This means, you have commitment to provide https for your site and all of its subdomains.

This also means, you need to put some money aside every year to:

  • Renew the SSL certificate of your site.
  • Pay developer to update the old certificate with the new one or if you're developer yourself, allocate some of your time to update it yourself.

Don't even think to go back into http once you submitted your site domain for HSTS Preload List.

This is not because of the difficulties to remove it from the list, but it's because even your site is removed from the list, your users still won't be able to access your site with http protocol for at least some next months. 

Personally, I had tried to contact the crew behind https://hstspreload.org/ when I had problems with my site's SSL certificate.

They're very responsive, and reply my e-mail under two hours.

They're even willing to help me to remove my site URL from the list but it will take some months for the changes on the list to reach your browser's visitor.

This means, you only had two options:

  • Put up the https on your site, no matter what. At leat, until several months ahead after your site is removed from the HSTS Preload list.
  • Put down the https which is no difference with putting down your entire site because no one will ever able to visit it with any major browsers. I tried this with Safari, Chrome, and Firefox.

Better safe than sorry.

Think several times, calculate your budgets to support the https of your site, especially how long you will be able to commit to support https on your site.

There is no way to go back once your site's domain is included on the Chrome HSTS Preload list ( which is used by other major browsers too).

It is better to stay with http, or go with https without the inclusion to the list so when you feel you have no resources to commit on https, it's easy to go back on http and your site will still available through http ( browsers won't refuse to open it ).

So, always ask this question to yourself: does my site really need https, given the fact that Google's started to give a weight on their ranking algorithm for https site?

If it does, how long my resources can keep up with https?

Will I consider to go back to http if I realize that it's futile to run site over https protocol?

Ask those questions, before submitting your site to the HSTS Preload List.

HSTS stands for HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking.