Why HSTS on fly.dev for subdomains?

I just did the fly quickrun and deployed a simple HTTP service.
Unfortunately I couldn’t access it in the browser afterwards because I was always redirected to HTTPS, which of course didn’t work, while curl showed a 200 response for HTTP.
I suspect the cause is the HSTS header on fly.dev:
strict-transport-security: max-age=63072000; includeSubDomains

Why is this header set for fly.dev? Doesn’t this break all HTTP on all subdomains?

Certain new TLDs, like .dev and .app, were created as “HTTPS only”:

The .dev top-level domain is incorporated on the HSTS preload list, requiring HTTPS on all .dev domains without individual HSTS enlistment.

1 Like

[edit] beat me to it ^^

*.dev is on the HSTS preload list by default:

Get built in security

Your security is our priority. The .dev top-level domain is included on the HSTS preload list, making HTTPS required on all connections to .dev websites and pages without needing individual HSTS registration or configuration. Security is built in.

See also: Always Be Connecting (with HTTPS) · Fly

2 Likes