Chrome & Firefox now force .dev domains to HTTPS via preloaded HSTS

Oh Dear! monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Image of Mattias Geniar

Mattias Geniar, September 17, 2017

Follow me on Twitter as @mattiasgeniar

tl;dr: Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.

Update 07/02/2018:** Firefox now also forces .DEV domains to HTTPS.**


Wait, there’s a legit .dev gTLD?

Yes, unfortunately.

It’s been bought by Google as one of their 100+ new gTLDs. What do they use it for? No clue. But it’s going to cause a fair bit of confusion and pain to webdevelopers.

The .dev gTLD has nameservers and is basically like any other TLD out there, we as developers just happen to have chosen that name as a good placeholder for local development, too, overwriting the public DNS.

$ dig +trace dev. NS
dev.            172800  IN  NS  ns-tld4.charlestonroadregistry.com.
dev.            172800  IN  NS  ns-tld5.charlestonroadregistry.com.
dev.            172800  IN  NS  ns-tld3.charlestonroadregistry.com.
dev.            172800  IN  NS  ns-tld2.charlestonroadregistry.com.
dev.            172800  IN  NS  ns-tld1.charlestonroadregistry.com.

Google publishes some of their domains on there, too;

$ dig +trace google.dev A
google.dev.     3600    IN  A   127.0.53.53

So yes, it’s a legit TLD.

Consequences of redirecting .dev to HTTPS

A lot of (web) developers use a local .dev TLD for their own development. Either by adding records to their /etc/hosts file or by using a system like Laravel Valet, which runs a dnsmasq service on your system to translate *.dev to 127.0.0.1.

In those cases, if you browse to http://site.dev, you’ll be redirect to https://site.dev, the HTTPS variant.

That means your local development machine needs to;

  • Be able to serve HTTPs
  • Have self-signed certificates in place to handle that
  • Have that self-signed certificate added to your local trust store (you can’t dismiss self-signed certificates with HSTS, they need to be ‘trusted’ by your computer)

Such fun.

What should we do?

With .dev being an official gTLD, we’re most likely better of changing our preferred local development suffix from .dev to something else.

If you’re looking for a quick “search and replace” alternative for existing setups, consider the .test gTLD, which is a reserved name by IETF for testing (or development) purposes.

There’s also an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

I do hope the Chromium team reconsiders the preloaded HSTS as it’s going to have rather big implications for local webdevelopment.

Will you help me share this post?

It would mean a lot to me if you could help share this post on social media. 🤗