HSTS Studio

HSTS preload readiness checker

The browser preload list is a strong, slow-to-undo commitment. This runs the exact hstspreload.org requirements as a checklist so you know you will pass before you submit.

Runs the exact requirements the browser preload list enforces.

The requirements, in plain terms

To be accepted onto the preload list your apex must: serve a Strict-Transport-Security header over HTTPS with a max-age of at least one year (31536000), include the includeSubDomains directive, include the preload directive, and redirect plain HTTP to HTTPS on the same host. Miss any one and the submission is rejected.

Why to check first

Removal from the preload list ships on the browser release cycle and can take months. Once your domain is preloaded with includeSubDomains, every subdomain — including internal ones — must work over valid HTTPS, or it becomes unreachable in browsers that have the entry baked in. Confirm your whole estate is HTTPS-ready first. If you need to walk it back, see how to safely remove a domain from the preload list, and how to choose a max-age for the ramp-up.