HSTS preload list: how to get on it
HSTS preloading is one of those rare web security features that’s both boring and incredibly useful. If you run a real production site, especially one that handles logins, payments, admin panels, or anything remotely sensitive, getting onto the HSTS preload list is usually worth doing. Why? Because normal HSTS only starts protecting users after they’ve visited your site once over HTTPS and received the Strict-Transport-Security header. Preloading removes that first-visit gap. Browsers ship with your domain baked into a hardcoded HTTPS-only list, so they’ll never attempt plain HTTP in the first place. ...