Adding approach0.xyz in the HSTS preload list for (albeit small) faster loading time

[builtfordevelopers-hstermail-c]

Without HSTS or HSTS being preloaded a user would need to first connect to the website to retrieve the key then to connect again, something that wont happen if the HSTS header is preloaded. Right now there is a problem to get it added in the HSTS Preload list (which is included in all major browsers, from Chromium to Firefox)

https://securityheaders.io/?q=approach0.xyz&followRedirects=on https://hstspreload.org/?domain=approach0.xyz

Error 1: No HSTS header is present on the response.

The website doesn't have HSTS to begin with :]

Error 2: Too many redirects: There are more than 3 redirects starting from http://approach0.xyz.

Error 3: Insecure redirect: http://approach0.xyz redirects to an insecure page on redirect #2: http://approach0.xyz/search

Error 4: Insecure redirect https://approach0.xyz redirects to an insecure page: http://approach0.xyz/search

Even solving these other redirect errors will result in faster speeds.

[w32zhong]

@builtfordevelopers-hstermail-c Thank you for bringing up this issue!

I have removed the redundant redirection. Now visiting http://approach0.xyz goes through only https://approach0.xyz/ and then https://approach0.xyz/search/. (I can argue these 3 steps are reasonable)

Although I doubt the necessity to use HSTS for a site like Approach0 no matter for security reason or efficiency consideration (Appraoch0 is just a search engine, and the current number of users are not significant). I have added a short term (currently only has max-age=1314000) HSTS header to Approach0 (check it on hstspreload again). Because Approach0 is using free HTTPS certificate service (let's encript), long HSTS age will completely block users from accessing our site when I fail to response very quickly after the HTTPS certificate gets expired (really frequent for a free service). After all, Approach0.xyz is meant to be a demo site, I want it easy-to-maintain for now and I do not expect over-tuned or unnecessary efficiency optimization (e.g. adding domain to HSTS preload list and make approach0.xyz a https site forever) in the near future.

ref: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx

[builtfordevelopers-hstermail-c]

@t-k- Thanks for these improvements!

Did you use Certbot to implement the Let's Encrypt cert? It does the job of automatic renewals of the certificate by default. If not you can try to setup a cron job that will renew the certificate each 90 days.

[w32zhong]

@builtfordevelopers-hstermail-c No, I am using a simple script to manually setup let's encrypt service each time I need. I think I will take some time to simply write a cron job to automatically run my script in the future. Thank you for recommending a nice tool to me!