Information

This form is used to submit domains for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list. This is a list of sites that are hardcoded into Chrome as being HTTPS only.

Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.)

Submission Requirements

If a site sends the preload directive in an HSTS header, it is considered be requesting inclusion in the preload list and may be submitted via the form on this site.

In order to be accepted to the HSTS preload list through this form, your site must satisfy the following set of requirements:

  1. Serve a valid certificate.
  2. Redirect from HTTP to HTTPS on the same host.
  3. Serve all subdomains over HTTPS.
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
  4. Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least eighteen weeks (10886400 seconds).
    • The includeSubDomains directive must be specified.
    • The preload directive must be specified.
    • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

For more details on HSTS, please see RFC 6797. Here is an example of a valid HSTS header:

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

You can check the status of your request by entering the domain name again in the form above, or consult the current Chrome preload list by visiting chrome://net-internals/#hsts in your browser. Note that new entries are hardcoded into to the Chrome source code and can take several months before they reach the stable version.

Continued Requirements

You must make sure your site continues to satisfy the submission requirements at all times.

Chrome has not yet removed any domains from the preload list for failing to keep up the requirements after submission, but there are plans to do so in the future. In particular, note that the requirements above apply to all domains submitted through hstspreload.appspot.com on or after February 29, 2016 (i.e. preloaded after Chrome 50).

Removal

Be aware that inclusion in the preload list cannot easily be undone. Domains can be removed, but it takes months for a change to reach users with a Chrome update and we cannot make guarantees about other browsers. Don't request inclusion unless you're sure that you can support HTTPS for your entire site and all its subdomains the long term.

However, we will generally honor requests to be removed from Chrome's preload list if you find that you have a subdomain that you cannot serve over HTTPS for strong technical or cost reasons. To request removal, please:

It is up to you whether you would like remove the includeSubDomains directive or change the max-age value, as long as you remove the preload directive. In particular, you may want to set max-age=0 as a knockout entry for Firefox.

Contact

If you have questions or requests that are not covered by this page, email Lucas Garron at hstspreload@chromium.org.

On GitHub