: Do I need a wildcard SSL certificate for inclusion in the HSTS preload list? I'd like to submit my personal site into the Chrome HSTS preload list. The site there says: In order to be
I'd like to submit my personal site into the Chrome HSTS preload list.
The site there says:
In order to be included on the HSTS preload list, your site must:
Have a valid certificate.
Redirect all HTTP traffic to HTTPS - i.e. be HTTPS only.
Serve all subdomains over HTTPS.
Serve an HSTS header on base domain:
Expiry must be at least eighteen weeks (10886400
seconds). The includeSubdomains token must be specified. The preload
token must be specified. If you are serving a redirect, that redirect
must have the HSTS header, not the page it redirects to.
Does this mean my certificate must be valid for all subdomains, or only that they are available/served over HTTPS? (I have a certificate for sub.example.com, but not the root.)
Can I apply to the HSTS preload list with a subdomain, like sub.example.com?
More posts by @Samaraweera270
4 Comments
Sorted by latest first Latest Oldest Best
Do all subdomains need to use HTTPS?
Technically, to be included only the root domain needs to be using HTTPS, but once you get included then any sites under the root domain need to use HTTPS, otherwise connecting will fail, so practically you will want all subdomains to use HTTPS.
Can I apply to the HSTS preload list with a subdomain, like sub.example.com?
No, if you try to test a subdomain you will get the following warning
example.jrtapsell.co.uk is a subdomain. Please preload jrtapsell.co.uk instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)
The way this is checked is via a public suffix list, like this one: publicsuffix.org/list/
Do I need to use a wildcard certificate to apply for the preload list?
No, as long as the SSL config is valid then you can apply, the certificate type does not matter.
It is necessary to include all subdomains as SSL to get into the preload list as found here hstspreload.appspot.com/
Have a valid certificate.
Redirect all HTTP traffic to HTTPS - i.e. be HTTPS only.
Serve all subdomains over HTTPS.
Serve an HSTS header on base domain:
Expiry must be at least eighteen weeks (10886400 seconds).
The includeSubdomains token must be specified.
The preload token must be specified.
If you are serving a redirect, that redirect must have the HSTS header, not the page it redirects to.
Does that mean you need a wildcard? Nope. You can get individual SSL certs for each subdomain. This would probably be cheapest route. You can choose wildcard, but until you have 5+ subdomains worth protecting, its not worth it financially. Either way, all the subdomains must be HTTPS mode if you want to be preloaded.
Using that thought, if you use a subdomain as a root, you would have to protect the subdomain of the subdomain in the same manner :) Or of course, backwards as well, you can't declare HSTS on a sub without protecting the TLD root.
It is not mandatory to have a wildcard SSL Certificate for the inclusion in the HSTS preload list.
If you have a single domain you can use any Domain Validated SSL Certificate for the inclusion in the HSTS preload list rather than using Wildcard SSL Certificate.
While I've not tried it personally, having read through the HSTS standard (RFC 6797) I interpret/understand the following:
If the parent domain is HSTS compliant then it does not have to but can enforce policy for subdomains to also be HSTS compliant by issuing the includeSubDomains directive in the STS HTTP header.
If the parent domain is not HSTS compliant then it would not stop a sub-domain from being HSTS compliant. A subdomain should be able to work fully with HSTS provided that it issues the appropriate HTTP headers and works properly at subdomain.example.com/.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.