tldlist.us

tldlist.us/HTTPS-only TLDs

.app

HTTPS-only TLDs — extensions that enforce HTTPS by default

HSTS-preloaded, always-secure extensions · Updated

In one sentence

HTTPS-only TLDs are extensions whose entire namespace is on the browser HSTS preload list, so every site loads over HTTPS automatically and plain HTTP is refused. The core set comes from Google Registry — .app, .dev, .page and .new — meaning you must have a valid TLS certificate for any domain under them. There is no insecure fallback, which makes these extensions a built-in security signal.

What "HTTPS-only" means at the TLD level

Most extensions leave HTTPS up to the site owner. A handful go further: the registry adds the whole extension to the HSTS preload list — a list compiled by the Chromium project and shipped inside Chrome, Firefox, Safari and Edge. Once an extension is preloaded, browsers refuse to make an insecure HTTP connection to any domain under it, before the site even responds. The practical effect: every .app or .dev site must serve a valid TLS certificate or it will not load at all. This eliminates downgrade attacks and mixed-content issues for the entire namespace by design.

HTTPS-only TLDs reference list

Core HSTS-preloaded extensions, their operator and intended audience. The preload list evolves; verify if security policy is critical.

ExtensionOperatorIntended audienceSecurity policy
.appGoogle RegistryApps & software productsHSTS-preloaded — HTTPS mandatory
.devGoogle RegistryDevelopers & engineering toolsHSTS-preloaded — HTTPS mandatory
.pageGoogle RegistryPersonal & project pagesHSTS-preloaded — HTTPS mandatory
.newGoogle RegistryAction shortcuts (e.g. doc.new)HSTS-preloaded — HTTPS mandatory
.gle / .googleGoogle RegistryGoogle brand / shortlinksSecure-by-policy
.chromeGoogle RegistryChrome brandSecure-by-policy

The authoritative source is the Chromium HSTS preload list; registry policy can change. Operator data from the IANA root zone database.

What this means in practice

If you register a .app, .dev or .page domain, set up TLS before you point traffic at it — without a certificate, visitors see a connection error rather than your site. The good news is that a free certificate from a provider like Let's Encrypt fully satisfies the requirement, so the only real cost is a few minutes of setup. In return you get a namespace that can never be served insecurely, which is a genuine trust and security advantage for software, developer and app brands.

In short. HTTPS-only extensions (.app, .dev, .page, .new) force HTTPS for the whole namespace via HSTS preload. Get a valid TLS certificate first; the payoff is built-in security and zero mixed-content risk. See related secure-tech extensions in new TLDs.

Frequently asked questions

What is an HTTPS-only TLD?
An extension where the whole namespace is on the browser HSTS preload list, so any domain under it loads over HTTPS automatically and plain HTTP is refused. You must have a valid TLS certificate; there is no insecure fallback.
Which TLDs require HTTPS?
The best-known are Google Registry's secure extensions — .app, .dev, .page and .new are commonly cited as HSTS-preloaded. The preload list evolves, so verify a specific extension if security is critical.
Do I need an SSL certificate for a .app or .dev domain?
Yes. Because the extension is HSTS-preloaded, browsers will not load the site over plain HTTP at all. A free certificate (e.g. Let's Encrypt) satisfies this — it is a setup requirement, not a cost barrier.
Does HTTPS-enforcement help SEO?
Indirectly — HTTPS is a lightweight ranking signal and is expected by browsers and users. But the TLD being HTTPS-only adds no bonus beyond the standard HTTPS signal. Choose these for security, not a ranking edge. See best TLDs.