There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).
Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS deployment, not least the effect on other sub-domains.
Since the browser needs to make at least one request before it can read this HSTS policy, the user is still vulnerable to the use of a first non-TLS connection.
However, if a web site is TLS-only and has the HSTS header, with an expiry of at least eighteen weeks (10886400 seconds), has the "includeSubdomains" and "preload" attributes set, then the information can be hard coded into certain web browsers such that they will never request the site without using TLS, regardless of what a user types in or clicks on.
The machine readable HSTS preload lists are:
The entry for clerkendweller.uk in Chrome's list is illustrated above.
Once you have configured your website, use this form from Google to submit your information. The data is included with the preload lists for Safari and Firefox. Note the inclusion in the preload list is irreversible.
Posted on: 02 July 2015 at 07:49 hrs