Feb 14, 2026

Today I learned that .dev top-level domain is HSTS-preloaded. It means that .dev websites can only be accessed through HTTPS (not HTTP). HTTPS is cool and everything, but there’s a side effect. Which comes from using VPN, and internal resources.

These days, I only consider Let’s Encrypt for SSL certificates. Unfortunately, my DNS provider doesn’t expose API access, which makes DNS-01 challenge automation impossible. That leaves me with only HTTP-01 challenge, which means I need to have my host exposed to the public internet. Which is not the case.

But hey, the resource is already accessed through a VPN, so it’s encrypted in-transit the best way possible. That makes HTTPS redundant. Okay then, let’s use plain HTTP, right? Not if you’re on .dev domain, you don’t. Thanks to HSTS, HTTP protocol is off-limit.