While I have only recently set my up my name servers and just ordered a TLS certificate, I thought I would test my website and custom 404 page. So I disabled HTTPS-only mode in Firefox for my site and I pointed the server IP address to my domain with /etc/hosts.
For some reason, it’s still attempting to connect with HTTPS so I’m wondering if it’s currently being forced by InfinityFree. From a down detector website, it showed that my website was live. Not sure what I’m missing.
HTTPS is not forced by our hosting, it’s forced by your domain. Google put the .dev domain extension on the HSTS preload list. That means every website using a .dev domain must use HTTPS at all time.
Maybe Firefox has some
about:config flag to disable HSTS enforcement. But I think that just setting up SSL on your site is probably easier.
Oh! I didn’t know Google was forcing HSTS. Probably a good thing anyway. There’s no such flag in Firefox anymore. They use to have
security.mixed_content.use_hstsc but it was removed. I could probably get it working by altering Firefox source code but I guess I’ll just wait for my TLS certificate to come in.
If anyone is interested
show raw” https://source.chromium.org/chromium/chromium/src/+/main:net/http/transport_security_state_static.json
and then scroll a bit and you have a list (gTLDs and eTLD)
I see that my domain is on the list (ctrl + f)
As far as I could read on the net
preload is useful because it prevents someone from setting the clock (NTP) 1000 years in advance, etc., and other actions that were once possible…
And it’s interesting that compared to Linux and Mac, Windows was the safest in that regard because they often synchronized the clock but also used auth for timeservers and did not allow setting a plus or minus of 15h.
I love that .meme has HSTS preload. Memes require the utmost extensive standards in security of course Really though, this is quite helpful. I also found the HSTS preload list that Mozilla maintains in its source tree as well.
Mozilla Release HSTS Preload List
It’s a lot more difficult to read than the one in the Chromium source tree though because it’s strictly alphabetical. You can view the raw by clicking “raw” at the top of the page and use Ctrl+F. While looking into this, I also found this tool which is definitely the easiest way to check if you have HSTS preload enabled.
That website from Google (tool) may not always return the truth
because a real example:
that website is on this IP
and I have blocked Google ASN on my Cloudflare (because a lot of bad traffic comes from there)
and if you try my domain, it will tell you that it is not preloaded - which is not true!
So it is better to rely on the list that browsers look for in the background.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.