.dev, .app, and .page are on the HSTS preload list, making HTTP access impossible. This is a manifestation of Google Registry’s design philosophy — implementing the assertion that “security should be the default, not an option” at the domain level.

A rare case where a technical choice doubles as an ethical statement.

HSTS preloading is a mechanism where browsers are pre-configured to connect to specific domains exclusively via HTTPS. Unlike standard HSTS headers — which require “connecting via HTTP once, then switching to HTTPS” — preloading creates a world where “only HTTPS has ever existed.”

This philosophy means the TLD owner (in this case, Google) can enforce security policy on every site using that TLD. The moment you acquire a domain, encryption is an obligation, not a choice — that is the worldview of .dev, .app, and .page.