Skip to content

Instantly share code, notes, and snippets.

@jrtapsell
Last active January 7, 2018 17:09
Show Gist options
  • Save jrtapsell/851363b8bf0917b2c0e731d07e9a49f7 to your computer and use it in GitHub Desktop.
Save jrtapsell/851363b8bf0917b2c0e731d07e9a49f7 to your computer and use it in GitHub Desktop.

What is the issue with preloading and Netlify

Trying to preload a site that uses Netlify for its base domain with www by default fails.

What causes the issue

The redirects netlify uses are:

This is an issue as the browser never visits http://example.com, the correct redirects would be:

Why is this an issue

The HSTS spec says:

If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s).

So sending the headers with request O1 would do nothing.

The header could be sent on request O2, but www.example.com is a subdomain, and if you try to submit that as the preloaded site you get this:

Error: Subdomain

www.example.com is a subdomain. Please preload example.com instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)

The other issue is that the includeSubDomains would be given for www.example.com, so only subdomains of www.example.com would be covered, rather than subdomains of example.com, which would stop browsers that do not have the site preloaded from finding the header and setting HSTS for the whole domain.

What can I do about this

At the moment there is an issue open on Netlify's internal tracker for this.

As a temporary workaround you can use a service like Cloudflare to split the redirects, but once the issue is fixed this will not be necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment