List of top-level domains (TLDs) that require HTTPS connections, like .dev
Solution 1:
A direct answer to this would eventually become outdated if more top-level domains start enforcing HTTPS using HTTP Strict Transport Security (HSTS, RFC 6797). Technically this is an HSTS policy of a TLD submitted to the preloading list. It started with Google's new TLDs,
The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g.,
.com,.net, or.org. Google operates 45 TLDs, including.how, and.soy. In 2015 we created the first secure TLD when we added.fooand.dev.
and there has even been preliminary thoughts on the possibility of protecting the entire .gov in the future:
Zooming out even further: it’s technically possible to preload HSTS for an entire top-level domain (e.g. “
.gov”), as Google first did with.govcan get there.
To know the current situation, one must consult the Chromium HSTS Preloaded list.
The preloaded list is also available on Chromium's GitHub mirror; especially the raw version is best for curl or wget. The list is a non-standard JSON with comment lines. It is possible to analyse it with jq after removing the comments with e.g. sed.
Here, the jq gives all domain names on the preloaded list and the grep reduces it into TLDs:
cat transport_security_state_static.json \
| sed 's/^\s*\/\/.*//' \
| sed '/^$/d' \
| jq -r '.entries[]|select(.include_subdomains==true)|"\(.name)"' \
| grep -P "^\.?[a-z]*\.?$"
To search for public suffixes instead of TLDs:
cat transport_security_state_static.json \
| sed 's/^\s*\/\/.*//' \
| sed '/^$/d' \
| jq '.entries[]' \
| jq 'select((.policy=="public-suffix") and (.include_subdomains==true))' \
| jq -r '"\(.name)"'