Everyone know the what HSTS (HTTP Strict Transport Policy) does- It instructs the browsers to load a website over HTTPS no matter what. You cannot load a website on the http. When you hit a website, eg, http://example.com, the server returns ‘Strict-Transport-Security’ Header that tells that now onwards the website must be loaded over https.
We know the issue related to redirecting a site from http to https, the 302/ 301 redirects the site to its secure scheme by loading the https://expmale.com when user hits http://example.com . The issue here is the response from the first request which loads on http can be modified and contents can be replaced with some phishing ones. Still a large no. of websites do this redirection, one classic example is American Express. When you try to access www.americanexpress.com first time , it redirects you to https://www.americanexpress.com :
The website first loads as http and then makes a 301 redirect and loads again over https. The below pic will make it clearer:
Now let’s examine the following website (Facebook). Try accessing http://facebook.com and it loads on https://facebook.com . But there’s a difference here, instead of making 301/ 302 redirect the Facebook site makes a 307 redirect which is an internal redirect:
The 307 instructs that the browser is not going to make the first request itself on http, instead it will make the first request over https. The browser has refused to make any connection on insecure protocol http. Let’s examine the response:
You can see the HSTS header in the response:
All the sites which need to be loaded over https by default must be submitted to https://hstspreload.appspot.com/ site. This site is maintained by chrome and has a list of domains which needs to be loaded over https by default. That means, when the browser is shipped, your site will be a part of the list where https is by default.