Free HSTS Checker

Validate your HTTP Strict Transport Security (HSTS) header in seconds. Check the max-age, includeSubDomains and preload directives, confirm your HSTS preload list status, and see exactly what to fix before submitting to the preload list.

https://

No credit card required • Instant results

HSTS Header Validation

Confirm the Strict-Transport-Security header is present and parse every directive for correctness.

Directive Analysis

Check max-age duration, the includeSubDomains directive, and the preload flag against current best practice.

Preload List Status

See whether your domain is on the HSTS preload list and whether it meets the requirements to be submitted.

What the HSTS Checker Tests

HSTS Header Configuration

  • Presence of the Strict-Transport-Security header
  • max-age value and recommended duration
  • includeSubDomains directive
  • preload directive for preload list eligibility

Directive Best Practice

  • max-age of at least 1 year (2 years recommended)
  • Subdomain coverage via includeSubDomains
  • Correct preload opt-in syntax
  • Detection of weak or expiring policies

HSTS Preload List

  • Current preload list status
  • Eligibility for preload submission
  • Preload requirements validation
  • Chrome, Firefox and Safari preload coverage

Recommendations

  • Optimal max-age configuration
  • Subdomain coverage guidance
  • Step-by-step preload submission advice
  • Fixes for common HSTS mistakes

Understanding HSTS

HTTP Strict Transport Security (HSTS) is a web security policy that protects sites against protocol downgrade attacks and cookie hijacking. When a site sends the HSTS header, browsers remember to upgrade every future request to HTTPS automatically, even if a user types http:// or clicks an insecure link.

Key benefits:

  • Prevents man-in-the-middle attacks: forces all communication over HTTPS
  • Blocks protocol downgrade: users cannot accidentally fall back to HTTP
  • Cookie protection: stops cookie theft over insecure connections
  • Browser enforcement: browsers remember to always use HTTPS
  • Preload benefits: browsers enforce HTTPS even on the very first visit

HSTS Preload List Requirements

Prerequisites

Valid HTTPS Certificate

Serve a valid certificate on all subdomains

HTTP Redirects

Redirect all HTTP traffic to HTTPS

HSTS Header on Base Domain

Serve the HSTS header on the base domain over HTTPS

Header Requirements

max-age ≥ 31536000

At least 1 year (2 years recommended)

includeSubDomains Directive

Must cover all subdomains

preload Directive

Explicitly opt in to the preload list

Example HSTS header:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Important: HSTS Preload List Commitment

Adding your domain to the HSTS preload list is a near-permanent commitment. Once preloaded, browsers refuse to connect to your domain over HTTP, even on the first visit. This gives you maximum security but requires:

  • All subdomains must support HTTPS (includeSubDomains directive)
  • Removal from the preload list takes months to propagate
  • Broken HTTPS on any subdomain will make it inaccessible
  • Test thoroughly before submitting to the preload list

Need to confirm your HTTP to HTTPS redirects and the full redirect chain too? Try the HTTP Security Checker.

100M+
Domains using HSTS
200K+
Domains on the preload list
96%
Reduction in MITM attacks

That's Just the Beginning

FREE

This HSTS Check scan caught some issues. Run a Full Security Scan to uncover hidden threats like exposed secrets, malicious scripts, and supply chain attacks this quick check missed.