Updated on Apr 30, 2018
Even if you have the HSTS header added to your website's .htaccess file, there is still a small window of vulnerability for newly installed browsers or completely wiped local states. To counter this, the Chromium Projects came up with the idea to create a preload list for chrome which contains all domains (and subdomains/nested subdomains) that were opt-in by their owners to be HSTS enabled by default. Mozilla Firefox and Safari maintain similar lists based on the original Chrome list to be able to do the same. You can opt-in for inclusion in this list if you can cover the requirements predefined by the Chromium Projects team:
Additionaly, to serve the HSTS header on the base domain for HTTPS requests requires:
To address these requirements in order:
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://yourdomainhere.com/$1 [R=301,L]
Once you cover all of the above, go to this page for a check on HSTS compliance. Enter your domain, and you should see the following screen.
Once added to the preload list, the reversal of this action is very time consuming and may take up to 12 weeks for Chrome users and more for the rest of the browsers. For more information on this, please visit our "How to opt-out of the Chrome Preload List" tutorial.
Below it, you will have the submit form in which you have to agree with the two terms by checking their boxes and then click on the submit button.
With this, your domain is now in the preload list, and will directly load via HTTPS mitigating MITM attack attempts.