HSTS check for preload directive does not look at policies for TLDs and public suffixes #16680
Description
FAQ
- Yes, my issue is not about variability or throttling.
- Yes, my issue is not about a specific accessibility audit (file with axe-core instead).
- Yes, my issue is not answered by other FAQs.
URL
What happened?
Lighthouse will report, "No preload directive found" for a website that includes strict-transport-security: max-age=31536000; includeSubDomains in its response headers. This makes sense at first glance because there is no preload directive. However, some TLDs (like .app, .dev) and public suffixes are already in the HSTS preload list and therefore any domain underneath them automatically requires HTTPS -- the website doesn't need its own HSTS policy let alone the preload directive.
Relevant code:
lighthouse/core/audits/has-hsts.js
Line 13 in 9b75b03
What did you expect?
Ideally Lighthouse would check the HSTS preload policy for the TLD or public suffix of the website being tested.
What have you tried?
No response
How were you running Lighthouse?
Chrome DevTools
Lighthouse Version
12.6.1
Chrome Version
Version 139.0.7258.157 (Official Build) (arm64)
Node Version
No response
OS
macOS 15.6.1