loading...

HSTS Preloading of all .Dev domains - Troubleshooting

shehackspurple profile image Tanya Janca Updated on ・4 min read

I've been quietly planning out We Hack Purple (previously shehackspurple.dev) for the past little while, with the intent to announce it while at RSAC last week in San Francisco. My new site provides regular security content for a modest fee ($7/month), all created by yours truly, on the topics of DevSecOps, AppSec, Cloud Security, MFA, etc. Soon I will be releasing full length training courses on these topics, also at affordable prices.

That said, when I pointed my domain at Podia.com (the place that is hosting my content), I followed the directions, and it did not work. The https://www.shehackspurple.dev link worked, but the apex domain, https://shehackspurple.dev, was throwing a security error. The instructions were to point the CNAME record for "www" to the Podia address for my content, no problem. Then forward the apex domain (no "www" at the front), to the www address for my site. I wasn't sure why but the following error was thrown in all browsers.

HOW EMBARRASSING! I teach how to implement HSTS, then I can't get it right? Ahh!

By this point I knew it was an HSTS problem, and that I was being pre-loaded, so I tried to remove my URL from being pre-loaded. Sounds easy right? Nope.

Failing at having my site removed from HSTS Loading

At this point I felt I had to ask for help, people were clicking on the links from my presentations and getting this embarrassing error. Time to swallow my pride. I called GoDaddy, the ones who sold me the ".dev" domain name, and they had no idea. I called Podia, and they were also at a loss.

They did not answer my accusatory tweet.

So then I did what I always do when I'm completely stuck; I asked my brilliant twitter followers.

Within 10 minutes someone pointed out that Google had purchased the entire ".dev" domain (I didn't know that was possible) and decided to force pre-loading of the HSTS security header on all of the domains under .Dev. THAT was why I could not get my URL to stop being pre-loaded. This news surprised me because 1) shouldn't GoDaddy have known this was the issue since they sold me the .dev domain? 2) forcing a security feature on everyone often leads to poor results and 3) apparently some people think that ".dev" means a site that is under development, when it actually means "for developers". No one is going to buy a completely separate domain so they can host their dev stuff on it, internal to their own networks. That makes zero sense folks.

In summary, I bought a .dev because I thought that's where all the cool kids were, but it turns out that the .dev addresses come with baggage. My emails from my new domain are too-often caught in spam filters, and now this HSTS situation... But I digress.

I read a few articles on this topic, and I learned that the TLS handshake couldn't be completed on the apex (my domain without the "www" at the front), because I had it forwarding to my www domain. HSTS forces you to complete the handshake. GoDaddy's forwarding feature doesn't complete it, it just forwards it directly, which is not enough for HSTS, it's strict.

Once I knew what the problem was, then I had to figure out a way to hack around it. I'm stubborn and did not want to have to start all over with a new domain. No way.

Luckily a whole bunch of my followers had great ideas. Michael Buckbee was particularly helpful, helping me figure out that the APEX (https://shehackspurple.dev) needed to terminate the TLS, so then I just needed to figure out how to do it. PS Thanks Michael!

Thanks Michael!

This is where I turned to CloudFlare. No, this is not an advertisement for them, we aren't affiliated (but if they want to buy a subscription to my site that would be cool!).

CloudFlare protects sites from DDOS and other internet problems, and in the process they forward your traffic. GREAT, I needed my traffic forwarded. And since they are a security company they terminate the TLS. PERFECT.

First I set up CloudFlare, which was super-simple. They have a free plan and I choose that one, so far so good.

I set up CloudFlare

Then I created a Page Rule to forward my Apex URL to my www URL, like so.

CloudFlare Page Rule

And BOOM, SheHacksPurple.dev is no longer broken, and I can post content for all to find. :-D


If you want to continue to develop your skills, check out WeHackPurple Academy’s NEW course, Application Security Foundations taught by yours truly! There is also a lot of awesome content to subscribe to for only 7$ a month!

Discussion

pic
Editor guide
Collapse
craigmc08 profile image
Craig McIlwrath

About your comment that you didn't know it was possible to own the entire .dev domain:

Not sure how much you know, but this ending is the top level domain (TLD) and it is possible to purchase them like the secondary level domains most people are used to. But it's hard to buy them, expensive, and you need to provide a bunch of services for it.

Google and some other companies do own a lot, for example there is a .google TLD. Countries have their own, and CERN has one.