Free HSTS Checker
Validate your HTTP Strict Transport Security (HSTS) header in seconds. Check the max-age, includeSubDomains and preload directives, confirm your HSTS preload list status, and see exactly what to fix before submitting to the preload list.
HSTS Header Validation
Confirm the Strict-Transport-Security header is present and parse every directive for correctness.
Directive Analysis
Check max-age duration, the includeSubDomains directive, and the preload flag against current best practice.
Preload List Status
See whether your domain is on the HSTS preload list and whether it meets the requirements to be submitted.
What the HSTS Checker Tests
HSTS Header Configuration
- Presence of the Strict-Transport-Security header
- max-age value and recommended duration
- includeSubDomains directive
- preload directive for preload list eligibility
Directive Best Practice
- max-age of at least 1 year (2 years recommended)
- Subdomain coverage via includeSubDomains
- Correct preload opt-in syntax
- Detection of weak or expiring policies
HSTS Preload List
- Current preload list status
- Eligibility for preload submission
- Preload requirements validation
- Chrome, Firefox and Safari preload coverage
Recommendations
- Optimal max-age configuration
- Subdomain coverage guidance
- Step-by-step preload submission advice
- Fixes for common HSTS mistakes
Understanding HSTS
HTTP Strict Transport Security (HSTS) is a web security policy that protects sites against protocol downgrade attacks and cookie hijacking. When a site sends the HSTS header, browsers remember to upgrade every future request to HTTPS automatically, even if a user types http:// or clicks an insecure link.
Key benefits:
- Prevents man-in-the-middle attacks: forces all communication over HTTPS
- Blocks protocol downgrade: users cannot accidentally fall back to HTTP
- Cookie protection: stops cookie theft over insecure connections
- Browser enforcement: browsers remember to always use HTTPS
- Preload benefits: browsers enforce HTTPS even on the very first visit
HSTS Preload List Requirements
Prerequisites
Valid HTTPS Certificate
Serve a valid certificate on all subdomains
HTTP Redirects
Redirect all HTTP traffic to HTTPS
HSTS Header on Base Domain
Serve the HSTS header on the base domain over HTTPS
Header Requirements
max-age ≥ 31536000
At least 1 year (2 years recommended)
includeSubDomains Directive
Must cover all subdomains
preload Directive
Explicitly opt in to the preload list
Example HSTS header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadImportant: HSTS Preload List Commitment
Adding your domain to the HSTS preload list is a near-permanent commitment. Once preloaded, browsers refuse to connect to your domain over HTTP, even on the first visit. This gives you maximum security but requires:
- All subdomains must support HTTPS (includeSubDomains directive)
- Removal from the preload list takes months to propagate
- Broken HTTPS on any subdomain will make it inaccessible
- Test thoroughly before submitting to the preload list
Need to confirm your HTTP to HTTPS redirects and the full redirect chain too? Try the HTTP Security Checker.
That's Just the Beginning
FREEThis HSTS Check scan caught some issues. Run a Full Security Scan to uncover hidden threats like exposed secrets, malicious scripts, and supply chain attacks this quick check missed.