HSTS Preloading of all .Dev domains: Troubleshooting

I’ve been quietly planning out SheHacksPurple.dev for the past little while, with the intent to announce it while at RSAC last week in San Francisco. My new site provides regular security content for a modest fee ($7/month), all created by yours truly, on the topics of DevSecOps, AppSec, Cloud Security, MFA, etc. Soon I will be releasing full length training courses on these topics, also at affordable prices.

** Our company website is now WeHackPurple.com

That said, when I pointed my domain at Podia.com (the place that is hosting my content), I followed the directions, and it did not work. The https://www.shehackspurple.dev link worked, but the apex domain, https://shehackspurple.dev, was throwing a security error. The instructions were to point the CNAME record for “www” to the Podia address for my content, no problem. Then forward the apex domain (no “www” at the front), to the www address for my site. I wasn’t sure why but the following error was thrown in all browsers.

HOW EMBARRASSING! I teach how to implement HSTS, then I can’t get it right? Ahh!

By this point I knew it was an HSTS problem, and that I was being pre-loaded, so I tried to remove my URL from being pre-loaded. Sounds easy right? Nope.

Being rejected by the HSTS Preload Page

At this point I felt I had to ask for help, people were clicking on the links from my presentations and getting this embarrassing error. Time to swallow my pride. I called GoDaddy, the ones who sold me the “.dev” domain name, and they had no idea. I called Podia, and they were also at a loss.

My sharing my feelings with the Chromium Dev Team.

They did not answer my accusatory tweet.

So then I did what I always do when I’m completely stuck; I asked my brilliant twitter followers.

Within 10 minutes someone pointed out that Google had purchased the entire “.dev” domain (I didn’t know that was possible) and decided to force pre-loading of the HSTS security header on all of the domains under .Dev. THAT was why I could not get my URL to stop being pre-loaded. This news surprised me because 1) shouldn’t GoDaddy have known this was the issue since they sold me the .dev domain? 2) forcing a security feature on everyone often leads to poor results and 3) apparently some people think that “.dev” means a site that is under development, when it actually means “for developers”. No one is going to buy a completely separate domain so they can host their dev stuff on it, internal to their own networks. That makes zero sense folks.

In summary, I bought a .dev because I thought that’s where all the cool kids were, but it turns out that the .dev addresses come with baggage. My emails from my new domain are too-often caught in spam filters, and now this HSTS situation… But I digress.

read a few articles on this topic, and I learned that the TLS handshake couldn’t be completed on the apex (my domain without the “www” at the front), because I had it forwarding to my www domain. HSTS forces you to complete the handshake. GoDaddy’s forwarding feature doesn’t complete it, it just forwards it directly, which is not enough for HSTS, it’s strict.

Once I knew what the problem was, then I had to figure out a way to hack around it. I’m stubborn and did not want to have to start all over with a new domain. No way.

Luckily a whole bunch of my followers had great ideas. Michael Buckbee was particularly helpful, helping me figure out that the APEX (https://shehackspurple.dev) needed to terminate the TLS, so then I just needed to figure out how to do it. PS Thanks Michael!

This is where I turned to CloudFlare. No, this is not an advertisement for them, we aren’t affiliated (but if they want to buy a subscription to my site that would be cool!).

CloudFlare protects sites from DDOS and other internet problems, and in the process they *forward* your traffic. GREAT, I needed my traffic forwarded. And since they are a security company they terminate the TLS. PERFECT.

First I set up CloudFlare, which was super-simple. They have a free plan and I choose that one, so far so good.

Then I created a Page Rule to forward my Apex URL to my www URL, like so.

My CloudFlare Page Rule

And BOOM, SheHacksPurple.dev is no longer broken, and I can post content for all to find. 😀

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!