Now that we all have our .app TLD, we’ve got a little bit of work ahead of us. Your product site _must_ use HSTS (and, of course, HTTPS.)

security.googleblog.com/2017/09/broade…

For the HTTPS part, I highly recommend automating your SSL cert installation using Let’s Encrypt and acme.sh.

github.com/Neilpang/acme.…

HSTS is just header in the page you serve up over SSL. You can learn more about it and check your site here:

hstspreload.org

For some of us, it’s a little more work than others, but I think we can all agree that a secure (and private) web is a good thing these days.

iconfactoryapps.com

One final note: moving to HSTS is pretty much a one-way street: once you’re on the preload list (either by TLD or browser) it’s hard to get off. This explains why and gives server config examples:

raymii.org/s/tutorials/HT…

You can check the preload database by opening this URL in Chrome: chrome://net-internals/#hsts

If you do a query for any .app domain you’ll see this:

static_sts_domain: app
static_upgrade_mode: FORCE_HTTPS

This presents a chicken-and-the-egg problem for Let’s Encrypt: requests are limited to port 443, but you don’t have a cert for SSL yet. Luckily, you can issue without using TLS on that port.

For example, in nginx conf:

#listen *:443 ssl;
listen *:443;

And voilà!

linea.app

I’m seeing some people say they’re going to just setup a 302 redirect for their .app domain.

In order for that to work, it has to happen over SSL. Compare these results:

$ curl -I bitcam.app
$ curl -I bitcam.app

You can’t use registrar’s feature…

Now try to load bitcam.app in Chrome.

It works OK in Safari, but not for much longer…

Crap, Twitter’s URL shortener screwed up this tweet. Do a curl command against both the HTTP and HTTPS domains - your registrar doesn’t provide a cert so the SSL redirect can’t work.