Why HSTS on fly.dev for subdomains?

Niels-Ole_Lambertz · February 11, 2022, 4:37pm

I just did the fly quickrun and deployed a simple HTTP service.
Unfortunately I couldn’t access it in the browser afterwards because I was always redirected to HTTPS, which of course didn’t work, while curl showed a 200 response for HTTP.
I suspect the cause is the HSTS header on fly.dev:
strict-transport-security: max-age=63072000; includeSubDomains

Why is this header set for fly.dev? Doesn’t this break all HTTP on all subdomains?

mikey · February 11, 2022, 4:53pm

Certain new TLDs, like .dev and .app, were created as “HTTPS only”:

The .dev top-level domain is incorporated on the HSTS preload list, requiring HTTPS on all .dev domains without individual HSTS enlistment.

wjordan · February 11, 2022, 4:55pm

[edit] beat me to it ^^

*.dev is on the HSTS preload list by default:

Get built in security

Your security is our priority. The .dev top-level domain is included on the HSTS preload list, making HTTPS required on all connections to .dev websites and pages without needing individual HSTS registration or configuration. Security is built in.

See also: Always Be Connecting (with HTTPS) · The Fly Blog

Topic		Replies	Views
HSTS on Fly Questions / Help	9	743	March 30, 2023
Why is *.fly.dev redirecting to https automatically? Phoenix	1	951	October 2, 2021
Automatic and simple HTTP to HTTPS redirection wishlist	3	3901	March 22, 2022
Is it possible to disable the fly.dev subdomain for an app? Questions / Help	3	779	January 15, 2023
Raw http and Fly Questions / Help	9	442	January 9, 2023

Why HSTS on fly.dev for subdomains?

Get built in security

Related topics