Brain breaker of the day at :

A domain kept being redirected from http:// to https:// while the server wasn't set-up for TLS.

So I:
- cleared all caches
- tried in a different browser (chromium didn't redirect but Firefox did)
- wget worked like expected
- spent 30 mins searching for obscure firefox settings

Turns out some TLD's like .dev and .app have set HSTS at the TLD level. Firefox respects this and always redirects those domains to https://

Pretty nice, if you know about it 😅

@kingannoy This extends to non-TLDs as well, Chrome and other browsers have a hard-coded list of domains that will do SSL only based on

Yeah, I knew about that one, and I forgot to mention it but I actually checked that list too!

@kingannoy Since nobody's likely to fetch https://dev/ or whatever this can't be via a normal HSTS header so I'm puzzled how this works. Is there something actually in the DNS for those TLDs or is it just done via the preload list or somehow else?


This blogpost is the most extreme example of "before we get to my recipe for a omelette, let me tell you my life story" but it's well written and actually interesting:

Conclusion: it's added to the preload list.

@kingannoy Thanks. Yes, a good read which eventually gets to the point.

(BTW, “Adding country-code domains like .fr or .uk was straightforward, …” amused me. The .uk domain name is not a straightforward CC, ask Ukraine).

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!