Google’s new TLDs (top level domains) like .app, .dev, and .page have built-in security features. They force you to serve everything through HTTPS and these TLDs are included on the HSTS preload list without needing individual HSTS registration or configuration.

I moved over my one-page personal website to csaba.page. csabatechnology.github.io and csabaconsulting.github.io will redirect to here. I also bought csaba.dev and csaba.app, until they have individual content they’ll redirect as well.

I could experience the security first hand when I found a page which SSL certificate expired.

  1. HSTS works: the browsers didn’t allow to place any exceptions for the certificate any more. So there’s no way to view the site with an evergreen browser (I tried Firefox and Chrome)
  2. Domain privacy protection works as well. Google’s domain registrar and other registrars as well offer privacy protection. This means that emails and addresses are redacted from the registrar listing and could only be accessed in a cumbersome way. I thought I’ll contact the webmaster of that site, but due to the privacy protection I was not able to get to an email address. Which is how it should be, if the privacy protection is on.