December 30, 2025

Padlock wars begin

Article URL →HN comments →

HTTP Strict Transport Security (HSTS)

The web’s padlock sparks a power struggle: safety vs control

TLDR: Websites use HSTS to force secure HTTPS and stop snoops; browsers even preload some domains. Commenters are split: fans say it’s the long-awaited default, critics call it a heavy-handed ‘antifeature,’ and some want to kill port 80 entirely—this matters because it decides who controls your browser

HSTS is basically a website telling your browser, “Only visit me on the secure, padlocked version (HTTPS).” That helps stop Wi‑Fi lurkers from peeking at what you click, hijacking cookies, or tricking your browser into the unsafe version. The doc even notes a built‑in “preload list” in major browsers and says use HSTS, but preloading isn’t worth much compared to the real thing. If you want the nitty‑gritty, it’s all in RFC 6797.

But the comments? Pure drama. One camp is cheering: tialaramex declared we’re at the endgame where normal folks finally get HTTPS by default—no padlock, no serious website. aargh_aargh rolled in with the flamethrower: if browsers already try HTTPS and sites redirect, why not kill port 80 (the old, insecure lane) completely? Cue “port 80 funeral” memes. arccy added that some domains like .dev are HTTPS‑only, which made everyone joke that the internet finally confiscated your training wheels. Then ocdtrekkie dropped the bomb: “HSTS is a broken antifeature.” Translation: a site shouldn’t boss your browser; Firefox won’t let you bypass HSTS, so they sometimes have to switch browsers just to get work done.

It’s a spicy split: safety squad vs user‑control purists. Padlock lovers want everything secure, power users want an override button. The web’s seatbelt is on—but who gets to drive?

Key Points

  • HSTS instructs browsers to access a site only over HTTPS using the Strict-Transport-Security header.
  • HSTS mitigates on-path attacks including browsing history leaks, protocol downgrades, and cookie hijacking.
  • Recommended deployment includes testing all (including internal) subdomains and gradually increasing max-age (300, 604800, 2592000).
  • Browsers only learn HSTS after first visit; Chrome’s preload list (used by other browsers) enforces HTTPS from the start.
  • Many browsers auto-upgrade HTTP navigations to HTTPS; HSTS is recommended, but HSTS preloading offers minimal benefits and is not recommended.

Hottest takes

"we're probably at the endgame where ordinary people start to benefit from HTTPS-by-default" — tialaramex
"why don't we just stop serving on port 80 altogether? Why even bother with HSTS?" — aargh_aargh
"HSTS remains a broken antifeature" — ocdtrekkie

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.