HSTS is a way a web server can tell a browser to only connect to that website over an encrypted connection (https vs http).
This prevents an attacker (like somebody connected to the same wifi hotspot from you) sending your computer to an unencrypted version of a site, then snooping the connection to see your login info.
Here's the issue, Now that I've turned it on, if somebody attempts to connect to the webclient hosted at the same address, (but different port) chrome will see the website on HSTS list, and attempt to connect to dream daemon over https:
Chrome Wrote:
Navigated to http://www.byond.com/play/tgstation13.org:31337
GET https://tgstation13.org:31337/query net::ERR_CONNECTION_RESET
(I spent 2 hours trying to figure out why this webclient wasn't working.) (this webclient is important to the operations of my website, as it is used to securely link a byond account to a forum account (forum sends you to webclient, webclient stores your byond key in the database attached to a token, webclient sends you back to the forums with the token, forums read the token and gets your byond key from the database.)))
Now, I can fix this by using another domain or the ip version of the link (and i also plan to file a bug report or FR with IETS requesting the ability to restrict the ports HSTS applies to.), but as encrypted https becomes more common, and HSTS pinning happens more often, This issue will only get worst if hsts doesn't get an option to restrict it to standard web ports.
What could work would be a simple way to add proper signed ssl support. an option, maybe command line based, pointing to the files for the key, the cert, and the intermediate (or require the intermediate be combined with the cert).
Then you either detect ssl (harder because of how libssl tends to want to manage the connection from the start) or have an -sslport option
