HSTS Preloading

HSTS (HTTP Strict Transport Security) preloading is the process of submitting a domain to browser vendors' hardcoded lists of sites that must always be accessed over HTTPS, even before the first visit. Unlike the standard HSTS header (which is learned on first connection), preloaded domains are protected from the very first request — including on completely fresh browser installations. To qualify for preloading, a domain must serve a valid [[ssl-tls|TLS certificate]], redirect all HTTP to HTTPS, set an HSTS header with max-age of at least 31536000 seconds, and include the preload and includeSubDomains directives. Some entire [[tld|TLDs]] such as .dev and .app are HSTS-preloaded at the TLD level.