Effective May 15, 2017, GSA’s DotGov Domain Registration Program will begin providing HSTS Preloading services for federal agencies. HSTS stands for HTTP Strict Transport Security (or HTTPS, for short). This new service helps ensure that visitor communication with .gov websites is not modified or compromised, and hostile networks cannot inject malware, tracking beacons, or otherwise monitor or change visitor interactions online.
As part of this new service, any federal government executive branch .gov domain, created after May 15, 2017, will be automatically registered as HTTPS-only in modern web browsers through HSTS preloading. This change will affect all web services hosted on these domains (including subdomains and internal sites). Existing executive branch federal .gov domains, including the ones up for renewal, will not be affected by this change.
Once new .gov executive branch federal domains are registered as HTTPS-only, agencies MUST obtain and deploy HTTPS certificates to enable to access the websites hosted on these domains. Visitors will not be able to click through certificate warnings if the certificates expire or do not exist on those websites. Learn how to obtain HTTPS certificates.
For more details about the HSTS Preloading Service, check out the links below:
- HSTS Preloading best practices on dotgov.gov
- The original public announcement of this change
- GSA’s guidance on HTTPS, HSTS, and preloading