20Eki
Is it possible to internally use HSTS preloading for internal domains?
Many companies have internal applications, and it would not be wise to recommend these are opened to the public internet merely for the purpose of them making it onto the HSTS preload list. Even if these services were audited and user credentials are all strong, exposing infrastructure majorly increases the attack surface.
Is there a way to add custom (internal) domains to the preload list in major browsers? For example, rolling this out via the Active Directory to all users?
