Chrome to force .dev domains to HTTPS via preloaded HSTS
source link: https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
tl;dr: Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.
Update 07/02/2018: Firefox now also forces .DEV domains to HTTPS.
Wait, there’s a legit .dev gTLD?
Yes, unfortunately.
It’s been bought by Google as one of their 100+ new gTLDs. What do they use it for? No clue. But it’s going to cause a fair bit of confusion and pain to web developers.
The .dev gTLD has nameservers and is basically like any other TLD out there, we as developers just happen to have chosen that name as a good placeholder for local development, too, overwriting the public DNS.
$ dig +trace dev. NS dev. 172800 IN NS ns-tld4.charlestonroadregistry.com. dev. 172800 IN NS ns-tld5.charlestonroadregistry.com. dev. 172800 IN NS ns-tld3.charlestonroadregistry.com. dev. 172800 IN NS ns-tld2.charlestonroadregistry.com. dev. 172800 IN NS ns-tld1.charlestonroadregistry.com.
Google publishes some of their domains on there, too;
$ dig +trace google.dev A google.dev. 3600 IN A 127.0.53.53
So yes, it’s a legit TLD.
Consequences of redirecting .dev to HTTPS
A lot of (web) developers use a local .dev TLD for their own development. Either by adding records to their /etc/hosts file or by using a system like Laravel Valet, which runs a dnsmasq service on your system to translate *.dev to 127.0.0.1.
In those cases, if you browse to http://site.dev, you’ll be redirect to https://site.dev, the HTTPS variant.
That means your local development machine needs to;
- Be able to serve HTTPs
- Have self-signed certificates in place to handle that
- Have that self-signed certificate added to your local trust store (you can’t dismiss self-signed certificates with HSTS, they need to be ‘trusted’ by your computer)
Such fun.
What should we do?
With .dev being an official gTLD, we’re most likely better of changing our preferred local development suffix from .dev to something else.
If you’re looking for a quick “search and replace” alternative for existing setups, consider the .test gTLD, which is a reserved name by IETF for testing (or development) purposes.
There’s also an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.
I do hope the Chromium team reconsiders the preloaded HSTS as it’s going to have rather big implications for local web development.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK