Bug 1351363 is aiming to add as many apex/root Mozilla domains to the HSTS preload list as possible, to protect first connections and also to catch any subdomains that forget to set an HSTS header themselves. Rough steps: 1) Identify taskcluster.net subdomains that don't yet support HTTPS and file dependant bugs to fix them. 2) Ensure the apex/root domain (https://taskcluster.net/) serves an HSTS header that meets the requirements on https://hstspreload.org/ 3) Submit the domain using that same tool

Also, to add: 4) make sure that https://taskcluster.net/ works (it currently only supports HTTP and redirects to https://docs.taskcluster.net/) Thanks!

Found in triage. April: is this still wanted?

I would absolutely love to do this. Note that taskcluster.net itself sets an HSTS header of 60 seconds, and isn't set to preload. Are all taskcluster.net subdomains running under HTTPS now and for the indefinite future? If so, I would recommend setting: > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload On the apex domain, and then submitting it to the preload list, which I would be happy to do. I don't know the taskcluster.net subdomains intimately well, so I would need sign off from someone before we do so. It is very painful to back out once done. Thanks!

Let's just solve this for redeployable headers. It's not clear that `taskcluster.net` will continue to host anything useful in the next few quarters.