Free HTTP Security Checker & HSTS Validator

Test HTTP security online. Validate HTTP Strict Transport Security (HSTS) configuration, test HTTP to HTTPS redirects, check HSTS preload list status, and ensure proper HTTPS enforcement. Protect against man-in-the-middle attacks.

No credit card required • Instant results

HSTS Validation

Check if HTTP Strict Transport Security header is properly configured with correct max-age and directives

Redirect Analysis

Verify HTTP to HTTPS redirects are working correctly and analyze the complete redirect chain

Preload Status

Check HSTS preload list status and verify if your domain is included in browser preload lists

What We Check

HSTS Header Configuration

  • Presence of Strict-Transport-Security header
  • Max-age value and recommended duration
  • includeSubDomains directive
  • preload directive for preload list eligibility

HTTP to HTTPS Redirects

  • Automatic redirect from HTTP to HTTPS
  • Redirect status codes (301 vs 302)
  • Complete redirect chain analysis
  • Identification of redirect loops or issues

HSTS Preload List

  • Current preload list status
  • Eligibility for HSTS preload submission
  • Preload requirements validation
  • Chrome, Firefox, Safari preload status

Security Recommendations

  • Optimal max-age configuration
  • Subdomain coverage recommendations
  • Preload list submission guidance
  • Best practices for HTTPS enforcement

Understanding HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking. When a website sends the HSTS header, browsers automatically upgrade all HTTP requests to HTTPS.

Key Benefits:

  • Prevents Man-in-the-Middle Attacks: Forces all communication over HTTPS
  • Blocks Protocol Downgrade: Users cannot accidentally use HTTP
  • Cookie Protection: Prevents cookie theft over insecure connections
  • Browser Enforcement: Browsers remember to always use HTTPS
  • Preload Benefits: Browsers enforce HTTPS even on first visit

HSTS Preload List Requirements

Prerequisites

Valid HTTPS Certificate

Serve a valid certificate on all subdomains

HTTP Redirects

Redirect all HTTP traffic to HTTPS

HSTS Header on Base Domain

Serve HSTS header on the base domain over HTTPS

Header Requirements

Max-Age ≥ 31536000

At least 1 year (recommended 2 years)

includeSubDomains Directive

Must include all subdomains

preload Directive

Explicitly opt-in to preload list

Example HSTS Header:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Important: HSTS Preload List Commitment

Adding your domain to the HSTS preload list is a permanent commitment. Once preloaded, browsers will refuse to connect to your domain over HTTP, even on first visit. This provides maximum security but requires:

  • All subdomains must support HTTPS (includeSubDomains directive)
  • Removal from the preload list takes months to propagate
  • Broken HTTPS on any subdomain will make it inaccessible
  • Thoroughly test before submitting to the preload list
100M+
Domains using HSTS
200K+
Domains on preload list
96%
Reduction in MITM attacks

Want the Complete Picture?

FREE

This HTTP Security Check is great for a quick check, but our Full Security Scan gives you a comprehensive security audit in one go.