Google adds HSTS support on youtube.com domain in addition to google.com
▻https://security.googleblog.com/2016/08/adding-youtube-and-calendar-to-https.html
“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.”
End July Google already added HSTS to www.google.com
▻https://security.googleblog.com/2016/07/bringing-hsts-to-wwwgooglecom.html
HSTS = HTTP Strict Transport Security
cf ▻https://seenthis.net/messages/98345
More here:
▻https://threatpost.com/google-domain-enables-hsts-protection/119597
and another interesting article here:
▻http://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
95% of HTTPS servers vulnerable to trivial MITM attacks, according to Netcraft.
You can activate HSTS by just adding one line in your server config:
Strict-Transport-Security: max-age=31536000;
[= 1 year]