# We're a featured .app domain on Google's Registry We're proud to have been listed on [Google's 1 year anniversary post](https://www.registry.google/announcements/appsaroundtheworld/#!/) about the launch of the .APP top level domain. ## A year of .APP A year ago, on May 8th 2018, Google launched a new top level domain (TLD) called _.app_. At that time, Oh Dear! had just launched on the *ohdearapp.com* domain. It was a no-brainer for us to migrate our domain from *ohdearapp.com* to *ohdear.app*. The launch of the .APP TLD was perfectly timed for us! Within the first couple of weeks, we registered the domain and moved all our services over to the *ohdear.app* domain. ## Improved security with HSTS HSTS stands for _HTTP Strict Transport Security_. It's a mechanisme that allows a website to signal that it should only be reached via HTTPS - the encrypted HTTP - instead of the plain text HyperText Transfer Protocol. When we were at our _.com_ domain, we added the following header to our website and all its pages. ``` $ curl -I https://ohdearapp.com ... Strict-Transport-Security: max-age=31536000 ``` Whenever a browser would visit our site, it would remember for 31536000 seconds (365 days) that it can only reach our domain via HTTPS. This prevents man-in-the-middle attacks where a connection would be downgraded from HTTPS to HTTP to snoop on the data being transferred over the wire. With the _.app_ domain, we no long need this. ## TLD-wide implementation of HSTS More acronyms! ;-) One of the nice features of having a _.APP_ domain, is that it *automatically requires HTTPS*. There is no workaround. Why? Because browsers have a thing called _preloaded HSTS lists_. Instead of waiting to visit a site for the first time, to read the HSTS header, browsers have lists of domains that want to have that configuration _preloaded_. Usually, those lists include specific domains. However, for _.APP_ (and a few others, like _.DEV_), there's a TLD-wide preload. That means browsers that trust this list (which is Chrome + Firefox and many others) will *automatically upgrade an HTTP connection to HTTPS for every domain ending in _.APP_*. We no longer need this header (although we might as well have just left if there, there's no harm in that) and it makes the entire _.APP_ top level domain safer as it enforces HTTPS. Since one of our focusses is the [extensive monitoring of HTTPS certificates](/docs/features/certificate-health-monitoring), we applaud any action that encourages the use of HTTPS over HTTP.