Information
This form is used to submit domains for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list. This is a list of sites that are hardcoded into Chrome as being HTTPS only.
Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.)
Submission Requirements
If a site sends the preload directive in an HSTS header, it is considered to be requesting inclusion in the preload list and may be submitted via the form on this site.
In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements:
- Serve a valid certificate.
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
- Serve all subdomains over HTTPS.
- In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
- Serve an HSTS header on the base domain for HTTPS requests:
- The max-age must be at least eighteen weeks (10886400 seconds).
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
- If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
For more details on HSTS, please see RFC 6797. Here is an example of a valid HSTS header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
You can check the status of your request by entering the domain name again in the form above, or consult the current Chrome preload list by visiting chrome://net-internals/#hsts in your browser. Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version.
Deployment Recommendations
If your site is committed to HTTPS and you want to preload HSTS, we suggest the following steps:
- Examine all subdomains (and nested subdomains) of your site and make sure that they work properly over HTTPS.
- Add the Strict-Transport-Security header to all HTTPS responses and ramp up the max-age in stages, using the following header values:
-
5 minutes:
max-age=300; includeSubDomains -
1 week:
max-age=604800; includeSubDomains -
1 month:
max-age=2592000; includeSubDomains
-
5 minutes:
- Once you're confident that there will be no more issues, increase the max-age to 2 years and submit your site to the preload list:
-
2 years, requesting to be preloaded:
max-age=63072000; includeSubDomains; preload
-
2 years, requesting to be preloaded:
If you have a group of employees or users who can beta test the deployment, consider trying the first few ramp-up stages on those users. Then make sure to go through all stages for all users, starting over from the beginning.
Consult the Mozilla Web Security guidelines and the Google Web Fundamentals pages on security for more concrete advice about HTTPS deployment.
Continued Requirements
You must make sure your site continues to satisfy the submission requirements at all times.
Chrome has not yet removed any domains from the preload list for failing to keep up the requirements after submission, but there are plans to do so in the future. In particular, note that the requirements above apply to all domains submitted through hstspreload.org (or hstspreload.appspot.com) on or after February 29, 2016 (i.e. preloaded after Chrome 50).
Preloading Should Be Opt-In
If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default. We get regular emails from site operators who tried out HSTS this way, only to find themselves on the preload list by the time they find they need to remove HSTS to access certain subdomains. Removal tends to be slow and painful for those sites.
It's great to support HSTS preloading as a best practice, and for projects to provide a simple option to enable it. However, site operators who enable HSTS should know about the long-term consequences of preloading before they turn it on for a given domain. They should also be informed that they need to meet additional requirements and submit their site to hstspreload.org to ensure that it is successfully preloaded (i.e. to get the full protection of the intended configuration).
Removal
Be aware that inclusion in the preload list cannot easily be undone. Domains can be removed, but it takes months for a change to reach users with a Chrome update and we cannot make guarantees about other browsers. Don't request inclusion unless you're sure that you can support HTTPS for your entire site and all its subdomains the long term.
However, we will generally honor requests to be removed from Chrome's preload list if you find that you have a subdomain that you cannot serve over HTTPS for strong technical or cost reasons. To request removal, please:
- Enter your domain at the top of this page and check that the result is "currently preloaded" or "pending submission" (else, any issues you may have are not due to preloading, and we cannot help).
- Continue to serve an HSTS header over HTTPS from the domain in question, but remove the preload directive. If you completely want to disable HSTS, you can send:
Strict-Transport-Security: max-age=0 - Contact Lucas Garron with the subject Removal Request: [your domain]
- Please use this email template.
- Give specific reasons why you cannot stay preloaded (e.g. which subdomains cannot be moved to HTTPS and why).
- If you never intended to be preloaded, please let us know if you can tell why your domain was sending an HSTS header with the preload directive.
- If possible, please send the request from the WHOIS contact email for the domain.
Contact
Want to remove your domain? Please send an email by following the removal request instructions above.
Else, if you have questions or requests that are not covered by this page, email Lucas Garron here using an appropriate subject line.