Preloading Strict-Transport-Security in Chrome and Firefox

[i-rme]

Hi, I noticed that Blockchain.info already uses Strict-Transport-Security header (a.k.a. HSTS). Current header: Strict-Transport-Security: max-age=31536000; includeSubDomains;

This covers all requests but the first one that can be spoofed.

You can add blockchain.info to a list called "the HSTS preload list" so Chrome and Firefox users will only load the website blockchain.info using HTTPS, always, also in the first request.

Adding a domain to that list is simple, just modify the HSTS header to this one: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The preload flag tells that the domain can be preloaded in this lists.

Once that flag is present in the HSTS header you only have to enter "blockchain.info" in this website: https://hstspreload.appspot.com/

The website checks that your domain has the header with the preload flag and sumbits it to Chrome's preloaded list.

Also, blockchain.com should be preloaded too.

TL;DR: Add "preload" to the Strict-Transport-Security header in blockchain.info and submit it here https://hstspreload.appspot.com/

More info about this preloaded list: http://www.chromium.org/sts https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json

[ghost]

Thank you for recommendation, I was not aware this list existed previously. The preload flag has now been added to our HSTS header and submitted for review.