HSTS Preload List Commitment

HSTS Preload List Commitment

If your site is now running on https protocol, you may think for inclusion into the Chrome’s HSTS Preload List. But, before you do it, here’s the HSTS Preload List Commitment you must have.

Being included in the Chrome HSTS Preload List means Chrome and other major browsers will only open your site and all of its subdomains with https only.

This means you have the commitment to provide https for your site and all of its subdomains.

This also means you need to put some money aside every year to:

  • Renew the SSL certificate of your site.
  • Pay developer to update the old certificate with the new one or if you’re a developer yourself, allocate some of your time to update it yourself.

Don’t even think to go back into HTTP once you submitted your site domain for HSTS Preload List.

This is not because of the difficulties to remove it from the list, but it’s because even your site is removed from the list, your users still won’t be able to access your site with HTTP protocol for at least some next months.

Personally, I had tried to contact the crew behind https://hstspreload.org/ when I had problems with my site’s SSL certificate.

They’re very responsive and reply to my e-mail under two hours.

They’re even willing to help me to remove my site URL from the list but it will take some months for the changes on the list to reach your browser’s visitor.

This means, you only had two options:

  • Put up the https on your site, no matter what. At least, until several months ahead after you requested removal from the HSTS Preload list.
  • Put down the https which is no difference with putting down your entire site. Because no one will ever able to visit it with any major browsers. I tried this with Safari, Chrome, and Firefox.

Better safe than sorry.

Think several times, calculate your budgets to support the https of your site, especially how long you will be able to commit to supporting https on your site.

There is no way to go back once your site’s domain is on the Chrome HSTS Preload list. The other major browsers also used the same list.

It is better to stay with HTTP or go with https without the inclusion to the list. So, when you feel you have no resources to commit on https, it’s easy to go back on HTTP and your site will still available through HTTP ( browsers won’t refuse to open it ).

So, always ask this question to yourself: does my site really need https, given the fact that Google’s started to give weight on its ranking algorithm for https site?

If it does, how long my resources can keep up with https?

Will I consider to go back to HTTP if I realize that it’s futile to run site over https protocol?

Ask those questions, before submitting your site to the HSTS Preload List.


HSTS stands for HTTP Strict Transport Security (HSTS). It is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking.