HSTS Checker
Check your HSTS (Strict-Transport-Security) header — max-age, includeSubDomains and preload — and see whether your domain is actually on the browser preload list.
Fetches your site over HTTPS, reads the Strict-Transport-Security header, and checks the official browser preload list.
What HSTS does — in plain terms
Even if your site redirects HTTP to HTTPS, a visitor’s first request often still goes out over plain HTTP — and an attacker on the same network (café Wi-Fi, a hotel, a hostile ISP) can intercept that moment and keep the whole session on HTTP, reading passwords and cookies. This is an SSL-stripping attack. HSTScloses the gap: it’s one HTTP header that tells the browser “for this domain, only ever use HTTPS — never plain HTTP, no exceptions.” The browser remembers it and upgrades every future request automatically.
What we check
max-age
How long (in seconds) the browser remembers the HTTPS-only rule. We look for at least 31536000 (one year). A short max-age lets the guarantee expire between visits; max-age=0 actively switches HSTS off.
includeSubDomains
Extends the HTTPS-only rule to every subdomain. Without it, a subdomain (a login page, an asset host) can still be downgraded. Only add it once all your subdomains serve HTTPS.
preload and the preload list
The strongest form: browsers ship a built-in HSTS preload list, so a preloaded domain is forced to HTTPS on the very first visit, before any header is ever seen. We query the official hstspreload.org status API and tell you exactly where you stand:
- On the preload list — you’re fully covered. We also warn if your live header has since drifted below the requirements (removal is slow and can strand subdomains).
- Eligible but not submitted — your header already qualifies (
preload; includeSubDomains; max-age ≥ 1 year); submit it at hstspreload.org to finish the job. - preload set but not eligible — the directive is there but the requirements aren’t met, so browsers won’t preload it.
Common mistakes
- Adding
preloadbefore every subdomain serves HTTPS — preloading is hard and slow to undo. - A tiny
max-ageleft over from testing, which barely protects anyone. - Sending the header over HTTP only — browsers ignore HSTS unless it arrives over HTTPS.
Related tools & guides
- Security Headers Generator — build the exact header, including preload.
- HTTP Header Checker and SSL / TLS Checker — HSTS is only as good as your HTTPS.
- Guide: how to add security headers.
Frequently asked questions
▸ ▾ What max-age should HSTS use?
At least 31536000 seconds (1 year). Start shorter if cautious, then raise it — and only add preload once you're committed to HTTPS everywhere.
▸ ▾ Does this check the real browser preload list?
Yes — it queries the official hstspreload.org status API to report whether your domain is preloaded, pending, or not on the list.
▸ ▾ Is HSTS safe to enable?
Yes, if your site fully works over HTTPS. Be careful with includeSubDomains and preload: only enable them once every subdomain serves HTTPS, because they're slow to reverse.