HSTS Preload Checker

The HSTS Preload Checker examines a site's HTTP Strict Transport Security configuration and tells you whether it qualifies for inclusion in the browser preload list. HSTS is an HTTP response header that instructs browsers to only ever connect to a domain over HTTPS for a specified duration, defeating SSL-stripping downgrade attacks and accidental plaintext connections. The checker reads the Strict-Transport-Security header and parses its directives to confirm the policy is strong enough to be trusted.

To be preload-eligible the header must meet specific rules: a max-age of at least one year (31536000 seconds), the includeSubDomains directive, and the preload directive, all served over a valid HTTPS connection with the apex domain redirecting HTTP to HTTPS. The tool verifies each of these conditions and reports which are satisfied and which are missing, so you know exactly what to fix before submitting to hstspreload.org. It also surfaces the actual max-age so you can confirm it is not set too short.

Security-conscious operators use this before submitting a domain to the preload list, since once a domain is hardcoded into browsers it is difficult to remove quickly. It is also handy for auditing whether subdomains inherit the policy correctly and for catching the common mistake of setting includeSubDomains without first ensuring every subdomain serves HTTPS. The check pairs well with an SSL certificate checker and a security headers audit.

Be deliberate about preloading: enabling includeSubDomains forces HTTPS on every subdomain, so any internal host still on HTTP will break. Start with a short max-age while testing, then ramp up to a year before adding the preload directive. Remember that removal from the preload list can take many browser release cycles to propagate, so only preload domains you are confident will stay HTTPS-only indefinitely.