odd so randomly sometimes it just doesn't work and 404s?
OK, I think it was some combination of weird cached things and then redirects that weren't working. https://graphs.arpnetworks.com just redirects to arpnetworks.com, and I think the HSTS somewhere was then getting cached.
But if I go to https://graphs.arpnetworks.com/cacti/ it works.
(After clearing all my cache and history.)
For me, https://graphs.arpnetworks.com does NOT redirect to arpnetworks.com, it redirects to /cacti/. Also, it's not serving an HSTS header.
But if I try http://graphs.arpnetworks.com
But if I try http://graphs.arpnetworks.com it DOES redirect to arpnetworks.com. (And no HSTS header in that response, or the response from https://arpnetworks.com)
^ I've had this same issue with portal.arpnetworks.com -- I type "portal.arpnetworks.com" in my browser and end up at https://arpnetworks.com, but if I make sure to type https://portal.arpnetworks.com I end up where I wanted to be.
Long story short... (portal|graphs).arpnetworks.com:80 really ought to redirecto the https://&:443 and _not_ https://arpnetworks.com, very jarring user experience
+1
Yeah I just presumed an HSTS header because of how it was behaving and I was confused.
I think ARP used to have an HSTS header but with not all the subdomains setup for https, they pulled it because they weren't comfortable.
i think hsts was only ever on the main web site
lg.arpnetworks.com doesn't have https
Right, right. That's my recollection as well. BUT HSTS is typically recomended with "includeSubdomains" (IIRC) flag set so it causes browsers to assume *.arpnetworks.com are HSTS
ah
to my mind what is better is when you get put into google etc with HSTS
like prepopulating
mercutio: You're referring to https://hstspreload.org/ ?
Of course, the easy way into that is to just have a domain under a TLD that's preloaded.
looks to be
i don't remember it being quite so easy
It's been quite that easy for a few years now :P
it needs includesubdomains for that
maybe doing includesubdomains isn't such a bad idea, thoughts, up_the_irons ?
mercutio: No there are whole TLDs that are on the list already. Like .dev and .vodka
I think arpnetworks.vodka has a nice ring to it
haha
i didn't know that
.google is another well-known (I think) [g]TLD that's on the HSTS list. With or without server headers, every web page served from a *.google domain is automatically HSTS'd, including all subdomains etc
i didn't know there was a .google even
so many new TLD now!
tbh i don't pay much attention to domain names anymore
i use google to search for what i want generally
oof the HSTS list has grown quite a bit since I last looked https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
(Correction, .vodka is not on the HSTS list, I misread something)
i prefer gin
that's pretty cool