Comment

Comment on Self hosting and HSTS preload domains

just_another_person@lemmy.world ⁨1⁩ ⁨year⁩ ago

Required? That’s quite a commitment. Is this a Cloudflare thing?

All it really means is that you have to advertise some metadata about your max-age and (sub)domains associated with whatever the domain is. If you’re only planning to serve over HTTPS, and you have a bulletproof refresh workflow for your certs, it’s not going to be a huge issue. Clients need to respect HSTS first, so if your clients don’t check, it’ll still function.

If you’re just using internal or VPN traffic, there’s literally no point in using it EXCEPT to satisfy client requirements.

Can you expound a bit more on this requirement btw? Now I’m curious.

source

Sort:hotnew top

Xanza@lemm.ee ⁨1⁩ ⁨year⁩ ago

Required? That’s quite a commitment. Is this a Cloudflare thing?

There are specific TLD which are required at the DNS level to be served over HTTPS. .dev is an example. The browser will physically not load a .dev domain over anything but HTTPS.

source
- just_another_person@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Yeah, I got that, but this is an internal system OP is discussing. DNS forwarder and VPN. Solved.
  
  source
wildbus8979@sh.itjust.works ⁨1⁩ ⁨year⁩ ago
Google owns a could of TLDs (.app, .dev, etc) and they preloaded all of them 😒

source
- just_another_person@lemmy.world ⁨1⁩ ⁨year⁩ ago
  [deleted]
  source
  - wraith@lemmy.ca ⁨1⁩ ⁨year⁩ ago
    I think you meant to reply to me! I actually do need it to be accessible externally, via a VPN or other means.
    
    source
wraith@lemmy.ca ⁨1⁩ ⁨year⁩ ago
Google requires HSTS preload for all of their domains. Charleston Road Registry (their subsidiary), enforces this by adding the TLD to the HSTS preload list.

Here is the Wikipedia link to the TLD. It’s at the bottom.

source
- just_another_person@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Yeah, but you’re saying this is going to be used internal to you only, right? No public facing exposure?
  
  source
  - wraith@lemmy.ca ⁨1⁩ ⁨year⁩ ago
    I will need it to be available via a VPN or other means, but it’s not going to be any more public-facing than it has to be.
    
    source
    just_another_person@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Right, so if it’s going to JUST be available over VPN, you don’t need to use a public TLD, DNS, or HSTS at all. Why use the public TLD with these requirements and expose private IP address space over public DNS if it’s solely purpose isn’t going to be consuming publicly?
    
    source
    -> View More Comments