Here is How To Get Listed on HTTPS Everywhere Atlas With a HSTS Domain. Only Making Website HSTS Will Not Work, You Need to Inform the Browsers. It is true that Google has an Appspot application where they manually sort out the eligible HSTS websites after submission, but basically there is an Atlas of HSTS website.That is maintained by Electronic Frontier Foundation.
Initial Steps to Get Listed on HTTPS Everywhere Atlas
It is too big chapter to write within a blog article, how to make your website HSTS. But you can follow this type of guide for nginx. We have many SSL/TLS related guides, you can use the search function of this website if you need. Ultimately, your header should be like ours :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | ~ curl -I https://thecustomizewindows.com HTTP/1.1 200 OK Server: nginx Date: Wed, 06 May 2015 12:03:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding Set-Cookie: PHPSESSID=9l4n93o155f6gj9f1dl9ol74t6; path=/ Expires: Tue, 01 Mar 2016 12:03:07 GMT Cache-Control: max-age=25920000 Pragma: no-cache X-Pingback: https://thecustomizewindows.com/xmlrpc.php X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Public-Key-Pins: pin-sha256="cTvjlwJ90gznKckrq+Le+9w5ncyKFwzLJOkgMBNoX2M="; max-age=5184000; includeSubDomains Cache-Control: Public Alternate-Protocol: 443:npn-spdy/3 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload |
Public-Key-Pining is not mandatory.
---
Steps to Get Listed on HTTPS Everywhere Atlas
EFF has project on GitHub :
1 | https://github.com/EFForg/https-everywhere # copy the url to text editor |
You will fork it to your GitHub Account, initially you need to add your website in the repo’s list of websites. Then you need to add your rules and send a pull request. They will check and take the update. There is no need to do anything more than the above steps. This is how Paypal, Akamai to us, all got in to HTTPS Everywhere Atlas. Right not our thecustomizewindows.com.xml file’s ruleset is :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | <ruleset name="The Customize Windows"> <target host="thecustomizewindows.com" /> <target host="www.thecustomizewindows.com" /> <target host="thecustomizewindows.net" /> <target host="www.thecustomizewindows.net" /> <!-- Akamai CDN --> <securecookie host="^a248\.e\.akamai\.net$" name=".+"/> <!-- allow trusted services --> <securecookie host="^cdn\.goroost\.com$" name=".+"/> <securecookie host="^www\.googletagservices\.com$" name=".+"/> <securecookie host="^tpc\.googlesyndication\.com$" name=".+"/> <securecookie host="^googleads\.g\.doubleclick\.net$" name=".+"/> <!-- needed for debugging and dev works related to HSTS --> <exclusion pattern="^http://cloud\.thecustomizewindows\.com/"/> <rule from="^http://(?:www\.)?thecustomizewindows\.com/" to="https://thecustomizewindows.com/"/> <!-- forcing higher security for currently unused dot net domain --> <rule from="^http://(?:www\.)?thecustomizewindows\.net/" to="https://thecustomizewindows.com/"/> </ruleset> |
These rules actually are applied at browser level. They are shipped with the set or something like that. We used free SSL certificate of CloudFlare for that thecustomizewindows.net domain. The chance that someone will ever open https://thecustomizewindows.net is quite rare.
Today we updated to these rules. Akamai and Google’s subdomains were not in our secure cookie list. So, our CORS was only determinant.
