Static technical notes on HTTPS-only operation, TLS, and HSTS preload for .dev domains.
The .dev top-level domain is operated by Google Registry and is intended for developer-focused projects, documentation, and technical content. Unlike most registries, .dev shipped with HTTP Strict Transport Security preloaded in browsers.
Every .dev domain must present a valid TLS certificate. Browsers refuse plain HTTP, so there is no fallback mode and no temporary window for insecure setup. The requirement keeps connections encrypted by definition.
HSTS preload lists are built into Chrome, Firefox, Edge, and other mainstream browsers. Because .dev is on those lists, the browser upgrades the connection to HTTPS before reaching the network, reducing downgrade risks.
This reference does not certify operators or audit their deployments. HTTPS enforcement for .dev is a property of the namespace, not an endorsement of individual implementations.