How to opt-out of the Preload List

Updated on Apr 30, 2018

The only downside on the Chrome Preload list is the fact that if you decide to remove your domain from it, you will have to again cover a set of requirements and wait 6-12 weeks to be delisted with additional time for delisting from other browser's lists.

The requirements which you will have to meet are the following:

  • Be preloaded or pending preload through hstspreload.org.
  • Serve HTTPS with a valid certificate.
  • Send a valid HSTS header that does not contain the preload directive.

To address them in order:

  • This is self-explanatory, as in order to ask for a delisting you should first be listed or at least pending for a listing in the preload list.
  • Even when delisting, you must still serve your content via HTTPS which means that your certificate must be active. Renewing your SSL might be needed in case it expired.
  • You must still have the HSTS header in your .htaccess file.However, you should edit out the preload directive.

You can get delisted from the preload list while still keeping your HSTS enabled. To completely disable HSTS leave only this in your header:

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=0"

</IfModule>

If for some reason, you cannot comply with the above-mentioned requirements but still wish to remove your domain from the preload list, you can contact the listing authority directly by using this contact email.

On this page...

    High Security Hosting

    • Network Firewall
    • Web Application Firewall
    • Brute-force Protection
    • Exploits and Malware Protect
    • CageFS Security
    • ModSecurity Manager
    View More