The First .gov Domains Hardcoded Into Your Browser as All-HTTPS

Screenshot of list of .gov domains with HTTPS preloaded
Every .gov website, no matter how small, should give its visitors a secure, private connection. Plain HTTP (http://) connections are neither secure nor private, and can be easily intercepted and impersonated. In today’s web browsers, the best and easiest way to fix that is to use HTTPS (https://). Now, a number of government websites have taken a step further and are becoming the first .gov domains hardcoded into major web browsers as HTTPS- only. This means that these .gov domains are taking the extra step of verifying that all their subdomains use HTTPS.

Recently, notalone.gov, a website launched by the White House Task Force to Protect Students from Sexual Assault, was hardcoded into major web browsers as HTTPS-only. Now, This means that when visitors type “notalone.gov” or click a link to http://notalone.gov, the browser will go directly to https://notalone.gov without ever attempting to connect over plain HTTP. This prevents anyone from getting a chance to intercept or maliciously redirect the connection, and avoids exposing URLs, metadata, and cookies that would otherwise have remained private.

18F worked with a number of government teams to help submit 19 .gov domains to be hardcoded as HTTPS-only. These .gov domains include:

To be clear: the above domains are not the only .gov domains that use HTTPS. Many others do. The above domains have taken the extra step of verifying that all their subdomains use HTTPS, and are comfortable telling browsers to just assume this going forward. This will take effect in Chrome, Firefox, and Safari over the course of 2015.

To read more about why HTTPS is important, how to reliably force HTTPS, and how to submit your own domain to browsers, read the full post here.

For more on 18F, visit 18f.gsa.gov or follow us on Twitter @18F.