Google Bringing HSTS To Google.com
Google announced bringing HTTP Strict Transport Security (abbreviated as HSTS) to www.google.com. HSTS is a web security policy mechanism which allows a web server to enforce the use of HTTPS in a compliant User Agent (UA), such as a web browser. It lets a website tell web browsers that it should only be communicated with using HTTPS instead of using HTTP.
Although Google moved on HTTPS long before many well-known top sites such as Twitter, Facebook or Wikipedia, it is the last bringing HSTS to google.com among them. Besides, as announced on Google Blog, HSTS is brought for the moment only to www.google.com.
Below are Google's as well as some top sites dates of HTTPS migration.
Soon after Google's HSTS announcement, Youtube followed the same path and shared bringing HSTS to Youtube.
A website server needs to return Strict-Transport-Security HTTP header in order to enable HSTS when the site is accessed over HTTPS. However no Strict-Transport-Security HTTP Header is returned from www.google.com when HTTP header of www.google.com is fetched although this header is returned from other top sites which are cited above.
A second way of checking this information is through Chrome.The Google Chrome browser offers a quick way to check a domain's HSTS status via chrome://net-internals/#hsts. Querying domain www.google.com on chrome://net-internals/#hsts gives the result below.
STRICT as dynamic_upgrade_mode means that the browser has been instructed to enable HSTS by an HTTP response header.
Third way of verifying the information given by google about bringing HSTS to google.com is checking Chrome's HSTS preload list which is a list of sites that are hardcoded into Chrome as being HTTPS only. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list.
A sample from this list is below.
Have comments, questions or feedback about this article? Please do share them with us here.
If you like this article