Removing www. before upgrading to HTTPS

Hello,

I have Always Use HTTPS enabled on my website, but I also have a 301 Redirect from *.example.com → https://example.com.

I was taking a look at HSTS Preload, and it complained that http://www.example.com should first redirect to httpS://www.example.com before redirecting to a different host (in other words, that I should change my page rule to https://*.example.com → https://example.com, thus allowing Cloudflare to upgrade the connection before my Page Rule takes effect).

I’m trying to understand the implications of this in a broad/general sense. Is it a security risk to redirect an HTTP connection to HTTPS on a different host? Wouldn’t the extra redirect cause extra overhead? It may well be negligible, but I’m trying to understand this from an academic standpoint.

Does it actually matter?

Thanks in advance for any insight.

Sorry about all the broken formatting, but the forum obnoxiously kept blocking my post for having links in it.

(Edit: Fixed—I can now post links.)

Are you trying to HSTS preload the www subdomain?

I do find it interesting that it’s pushing you to do a double-redirect, which most people try to avoid, quite often for SEO reasons.

I’d imagine that the logic is why are you setting up HSTS on a subdomain if you’re not even going to use it?

It’d be best to preload the entire domain, then set it to apply to subdomains, and be done with it.

Hi @sdayman, thanks for the response.

It’d be best to preload the entire domain, then set it to apply to subdomains, and be done with it.

Yes, I’ve already submitted the root domain for preloading, and I was just looking at subdomains strictly out of academic curiosity. They don’t allow you to submit subdomains anyway.

So I still wonder: what are the implications of redirecting from www to the root domain before upgrading to HTTPS, as opposed to after?

I do find it interesting that it’s pushing you to do a double-redirect, which most people try to avoid, quite often for SEO reasons.

So are you saying it is better to redirect http://www.example.com straight to https://example.com?

It’s best to make sure your initial connection is secure before letting it send you somewhere else.