> If you don't type the https url, you start by visiting the http website. Normally the http version will redirect to https, but a man in the middle can easily prevent this.

This is not entirely correct. HSTS[0] was designed to protect against such attacks.

It's true, however, that not every browser out there supports it yet, and you must visit the website at least once without MITM for the server to successfully communicate HSTS header. (In Chrome certain domains are included in built-in list[1], though.)

[0] https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_s...

[1] https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...

https://hstspreload.appspot.com/ says they don't use HSTS as a preload. They should...

Facebook seems to be doing some client sniffing to decide whether to set the headers..

In my browser (FF nightly), I see the HSTS header, with the value: "max-age=15552000; preload"

If I do a request with curl, no header... (which is probably what this app sees).

I don't have a clue why they are doing that, though. Not that curl would do something with the HSTS header anyway, but still...

Facebook has HSTS preload on www.facebook.com, but not on the redirect from facebook.com->www.facebook.com. I suppose they have their reasons

Google.com also doesn't seem to have it.

Google only uses a certificate pin and doesn't force SSL. Sadly.

Yes! I just thought of this and was going to edit it in, but you are quicker. Many websites still don't use HSTS, and in any case this article is from a few months ago (I remember reading it) and HSTS is pretty new.