HSTS preload — alert when the header disappears after a deploy
Site is on the HSTS preload list, but after an nginx refactor the header is gone. In 3 months the domain will be removed from the preload list. Need a daily check.
Recipe
#!/usr/bin/env bash
# Wrap as HTTP endpoint or run as a heartbeat-fed cron job.
URL="${1:-https://example.com}"
H=$(curl -sI -o /dev/null -w "%header{strict-transport-security}" "$URL")
[ -z "$H" ] && { echo "missing"; exit 1; }
echo "$H" | grep -q "preload" || { echo "no-preload"; exit 1; }
echo "$H" | grep -q "max-age=31536000\|max-age=63072000" || { echo "max-age-low"; exit 1; }
echo "$H" | grep -q "includeSubDomains" || { echo "no-subdomains"; exit 1; }
echo "ok"Same thing in Enterno.io
Already baked into Security Scanner — and into the Enterno SSL monitor via `assert_body`. Best paired: the scanner audits the policy deeply, the monitor pings you on regression instantly.
Related recipes
Minimal script that checks an SSL certificate and alerts 14 days before expiry.
A name-server misconfig leaks AXFR to the internet — every subdomain, MX, TXT (including SPF/DKIM keys) is visible to attackers. Daily check with alert.
Caddy usually renews on its own, but once a Let's Encrypt rate-limit broke the cycle and we found out 2 days before expiry. Want a belt-and-braces daily check.