HTTP Strict Transport Security (HSTS) Preload List

Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - see RFC 6797) by default. This list is based on a list Chromium maintains. The versions of the list as it exists in the various channels of Firefox are available here: mozilla-central mozilla-aurora mozilla-beta mozilla-release mozilla-esr45.

Each Saturday, an automated job attempts to update the preload list in mozilla-central, mozilla-aurora, and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list. The xpcshell script is here. Output from the automated job is here (search for "periodicupdate"). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in this file may help in determining the underlying error.

To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400.

The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated.