Why is HSTS preloading at the TLD level better than doing it for individual sites?
From a configuration perspective it’s much simpler. You don’t have to worry about individually preloading sites or sending HSTS headers. You just add your TLD to the list once and all of your sites are good to go. If you can already go to your websites with https:// and they load correctly (i.e. they have valid SSL certificates), then you’re good to go for HSTS preloading.
Another benefit to preloading at a TLD level comes from the rollout process for the HSTS preload list itself. To preload an individual domain name, you enter it at hstspreload.org and it is verified and added to the list, which could take a few weeks. From there, the list is pulled by the individual browsers according to their individual rollout cycles, which typically takes several months between a change being made and being released in the next major browser version. And then there’s lag time between when a new version has been released and when users finally get around to updating their software.
To do this for every site you launch can be incredibly impractical for webmasters. But if the entire TLD has already been preloaded, then all newly-created domains on that TLD will immediately get the benefit of increased security from the first moment of creation.

For HSTS preloading as a whole, TLD-level preloading has an aggregate effect as well. There are currently a relatively small, finite number of TLDs, which is more scalable in terms of the overall size of the preload list. Keeping the list smaller saves a non-negligible amount of storage space, memory space, and CPU cycles (from checking against the list) across all the billions of desktop and mobile browser installations out there. In the future, for size reasons, the list might close to new additions of individual domain names unless they meet certain criteria, but if you add the entire TLD you wouldn’t face that problem.
And perhaps most importantly is speed. When domains are HSTS preloaded the user’s browser will always hit the https version immediately; it’ll never hit a redirect being served at the http version. That saves a round-trip to the server, which is a non-negligible speed improvement, especially for people on mobile connections.
Recent Comments