There’s a more authoritative test:
https://hstspreload.org/?domain=kicksecure.com
Status: kicksecure.com is currently preloaded, but no longer meets the requirements. It may be at risk of removal.
Error: HTTP redirects to www first
http://kicksecure.com(HTTP) should immediately redirect tohttps://kicksecure.com(HTTPS) before adding the www subdomain. Right now, the first redirect is tohttps://www.kicksecure.com/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
Now that’s a problem.
(Whonix is based on Kicksecure.)
whonix.org acts the same but somehow https://hstspreload.org/?domain=whonix.org shows that’s OK. Maybe because whonix.org is on the HSTS preload list when it was still maintained manually by chromium developers but nowadays it’s automated (kicksecure.com being a younger domain name).
So it’s either
- A) a double redirect (bad for website speed) or,
- B) it’s risk of HSTS preload list removal when not using the double redirect.