Continued compliance with the HSTS preload requirements.

[bardiharborow]

Hey! libsodium.org is currently HSTS preloaded, but has not continued to remain compliant with the preload requirements. If you are able to remedy this, it would be highly appreciated. This will ensure that if Chrome begins delisting non-compliant domains that yours will not be affected. Over at EFForg/https-everywhere, we can't remove rewrite rules for domains that are non-compliant because that would present a security risk if Chrome then also removes them. Your domain is one of hundreds of non-compliant domains which add unnecessary maintenance and file size to our rulesets. Any assistance you can provide is appreciated.

[jedisct1]

Hi,

And thanks for the heads up.

Can you clarify what doesn't comply with the HSTS preload requirements any more?

I didn't see anything obvious.

Thanks!

[bardiharborow]

http://libsodium.org needs to redirect to https://libsodium.org/ not https://www.libsodium.org/ in order to ensure that browsers without preload support still log the includeSubDomains directive for *.libsodium.org rather than *.www.libsodium.org and *.download.libsodium.org (noting that Strict-Transport-Security headers on HTTP endpoints do not take effect, so even having headers on http://libsodium.org like you currently do does not solve this issue).

[jedisct1]

Oh, I see.

This should now be fixed.

Thanks!

(for the record: s/\$server_name/\$host/g in the Nginx configuration file)

[bardiharborow]

Confirmed fixed. Thanks for the very quick responce.