HSTS Studio

HSTS and preload checker

HTTP Strict Transport Security tells browsers to only ever reach your site over HTTPS. Check your header, and whether your domain qualifies for the browser preload list.

Reads the live header over HTTPS and checks the HTTP→HTTPS redirect.

What HSTS protects

The first time someone types your domain without https://, the browser tries plain HTTP and can be redirected or intercepted before your redirect to HTTPS even runs. HSTS closes that gap: once a browser has seen your Strict-Transport-Security header, it refuses to use HTTP for your domain at all.

The header, explained

Strict-Transport-Security has three parts: max-age (how long, in seconds, the browser remembers), includeSubDomains (apply to every subdomain), and preload (opt in to being shipped inside browsers). We read your live header and explain exactly what each value means.

Preload eligibility

To be added to the browser preload list, your header needs max-age of at least 31536000 (one year), includeSubDomains, and preload, plus a working HTTPS redirect on the apex. We check each requirement so you know if you are ready to submit at hstspreload.org.

Frequently asked

What max-age should I use?

For preload you need at least one year (31536000 seconds). Start smaller — a few days — while you confirm every subdomain works over HTTPS, then raise it, because once set, browsers will refuse HTTP for that whole duration.

Is includeSubDomains safe?

Only enable it once every subdomain, including internal ones, is reachable over valid HTTPS. If a subdomain is HTTP-only, includeSubDomains will make it unreachable in browsers that have seen your header.

Can I remove a domain from the preload list?

Yes, but removal is slow — it ships in a future browser release and can take months. Preload is a strong commitment, so confirm your HTTPS setup is complete before submitting.