- Package:
- www.debian.org
- Source:
- www.debian.org
- Submitter:
- Josh Triplett
- Date:
- 2026-02-06 19:33:02 UTC
- Severity:
- wishlist
- Tags:
https://www.debian.org/ (and other Debian sites) serve a Strict-Transport-Security header to enable HSTS. Please consider enabling preloading as well; see https://hstspreload.appspot.com/ for details. Enabling preloading would ensure that even if a user types "debian.org" into their browser, the very first request from that browser will use HTTPS rather than HTTP. Thanks, Josh Triplett
Unfortunately we can't do that because they only allow top-level domains to be preloaded and not all debian.org subdomains support https (and some never will, like nossl.people.debian.org). If that requirement were to be relaxed then we could get added to the preload list.
Control: tags -1 + wontfix It looks like that requirement is still present a decade later. Regards, Adam