News
fTLD on Twitter
November 3, 2021

What’s Important to know about URL Redirection for .BANK and .INSURANCE Domains

URL Redirection (also referred to as URL forwarding) is a technique which is used to redirect a domain’s visitors to a different URL. In the case of .BANK and .INSURANCE domains, there are various reasons to use URL Redirection and here are some common examples:

  1. The owner of BANKNAME.BANK has set up their new .BANK website and to ensure customers reach the bank’s new website, it sets up a redirect so visitors to BANKNAME.COM are automatically taken to BANKNAME.BANK.
  2. The owner of NAMEBANK.BANK and THENAMEBANK.BANK wants to redirect these sites to their primary URL of NAME.BANK to ensure its multiple .BANK domains refer customers to its primary website. 

Regardless of the reason for using URL Redirection, when .BANK and .INSURANCE are used to serve content on the Internet they must be secured with a Transport Layer Security (TLS) certificate that meets fTLD’s Digital Identity Certificate and TLS version requirements. 

What Method of URL Redirection is More Secure

HTTP(S) Redirect, a “redirect” feature of the HTTP protocol, is more secure than other methods and has the added advantage of being easier to maintain in the long term. This is why it is the recommended and standard method for URL redirection, and you should use it by default. Other non-standard forms of URL Redirection, such as Meta Refresh and Javascript, are less secure, more challenging to maintain, do not support various types of redirection (e.g., temporary vs. permanent), can lead to a bad user experience (e.g., concerns about security if the redirect is not expected, the “Back” button causing some browsers to move back to the redirecting page) and in the case of Javascript redirects, some browsers may not support it. 

What else is Unique about .BANK and .INSURANCE Domains

They are on the HSTS Preload list (read more here: https://www.register.bank/january-8-2018/), which means browsers such as Google Chrome and Microsoft Edge will automatically take a visitor to the secure version of the domain provided it’s secured with a TLS certificate. In contrast, HSTS prevents non-compliant, insecure HTTP sites from loading at all. 

All domains are regularly monitored for compliance with fTLD’s Security Requirements. When a domain is out of compliance with any of the requirements, the owner will receive an email from compliance@fTLD.com that identifies the issue(s) to be resolved.

How to Check your URL Redirection Setup

There are a variety of publicly available tools to help owners check the status of their domain(s). A couple of tools fTLD finds to be instructive are Redirect Detective: https://redirectdetective.com/ and Redirect Checker: https://www.redirect-checker.org/index.php. By entering a URL on Redirect Detective you can see the path of the redirection(s), and if none are set up, it will say so. An example of this, for “http://nic.bank”, is shown below. In this case, NIC.BANK is compliantly redirecting because it’s secured with a TLS certificate, which causes the browser to take visitors to https://nic.bank and ultimately to https://www.register.bank. All .BANK and .INSURANCE websites must have a TLS certificate.

It’s important to remember that because .BANK and .INSURANCE are HTTPS-only domains, a failure to comply with the URL redirection requirement  will generate a failure notice to the owner. The following URL Redirects and testing results are examples of what you may receive:

  • http://bankname.bank redirects to https://bankname.bank (compliant)
  • http://bankname.bank redirects to https://www.bankname.bank (compliant)
  • http://bankmame.bank redirects to http://www.bankname.bank (not compliant as the redirect must be to the HTTPS version of a .BANK domain)
  • http://bankname.bank redirects to https://bankname.com (not compliant as a redirection to a non-.BANK domain must only be made from the HTTPS version of a .BANK domain

Summary

Compliance with the .BANK and .INSURANCE security requirements requires adding a TLS certificate to the domain, which has been commonplace for most financial services providers for decades. Once a certificate has been added to the domain, a variety of redirections can be put in place to ensure visitors to it are taken to the intended location. TLS certificates come in all shapes and sizes and are available from a variety of service providers, including from most fTLD-Approved Registrars. There are even free options such as Let’s Encrypt.