About redirects and www subdomains

[jomo]

Currently, securethenews states for 'The Verge':

• The default for this website is secure.
• This website allows clients to enforce HTTPS on the primary domain.

However, https://theverge.com actually redirects to http://www.theverge.com (as does http://theverge.com) and has no HSTS header set, either.

That way, typing in 'theverge.com' in your browser will never connect to the site using HTTPS in the beginning (apart from redirect caching).

Websites should always redirect to the same domain on HTTPS, where HSTS should be set. Then any other redirects can be done there. (These are also requirements for the preload list)