This website allows clients to enforce HTTPS on the primary domain.
However, https://theverge.com actually redirects to http://www.theverge.com (as does http://theverge.com) and has no HSTS header set, either.
That way, typing in 'theverge.com' in your browser will never connect to the site using HTTPS in the beginning (apart from redirect caching).
Websites should always redirect to the same domain on HTTPS, where HSTS should be set. Then any other redirects can be done there. (These are also requirements for the preload list)
Currently, securethenews states for 'The Verge':
However, https://theverge.com actually redirects to http://www.theverge.com (as does http://theverge.com) and has no HSTS header set, either.
That way, typing in 'theverge.com' in your browser will never connect to the site using HTTPS in the beginning (apart from redirect caching).
Websites should always redirect to the same domain on HTTPS, where HSTS should be set. Then any other redirects can be done there. (These are also requirements for the preload list)