security · https

HSTS checker

Read a site's Strict-Transport-Security header and check it against the official HSTS preload requirements — before you commit to submitting.

An HSTS checker that reads the real header

HTTP Strict Transport Security tells browsers to only ever connect to your site over HTTPS, which shuts down a whole class of downgrade and cookie-hijacking attacks. It's delivered through the Strict-Transport-Security response header, and the details in that header — the max-age, whether it covers subdomains, whether it opts into preload — determine how strong the protection is. This HSTS checker reads the header directly from the origin server and breaks down exactly what it says, so you can check Strict-Transport-Security is configured the way you intended.

Check HSTS preload list eligibility

Getting onto the browser preload list — the hardcoded list Chrome, Firefox, and Safari ship with — means browsers enforce HTTPS for your domain even on the very first visit, before they've ever seen your header. The official requirements at hstspreload.org are specific, and this tool checks each one against your live configuration: a max-age of at least one year, the includeSubDomains directive, the preload directive, and a working HTTP-to-HTTPS redirect. You'll see which requirements you meet and which are still missing, so you know whether you're ready before you submit to the HSTS preload list.

Preload is a serious, hard-to-reverse commitment

This is the part a lot of tools skip, and it matters. Once your domain is on the preload list, every subdomain must serve valid HTTPS — and removing yourself from the list is slow, taking months to roll out through browser releases. If you preload before a subdomain is ready for HTTPS, that subdomain becomes unreachable for users, and you can't quickly undo it. So the honest advice is: confirm every subdomain (including internal ones) can do HTTPS before you add includeSubDomains and preload and submit. This checker helps you verify the header side; the subdomain readiness is on you to confirm.

HSTS without preload is still good security

Preload is opt-in and not the right choice for everyone. A strong Strict-Transport-Security header with a long max-age protects your returning visitors perfectly well without ever joining the preload list. So if this tool shows your header is present and healthy but not preload-eligible, that isn't a failure — it only matters if preloading is a goal you're pursuing. We report the facts of your configuration and let you decide.

Auditing HTTPS more broadly? The security headers check covers HSTS alongside CSP, X-Frame-Options, and the rest, and the SSL checker reports on the certificate itself.