Skip to content

HSTS Preload: Definition, Use Cases, and Examples

TL;DR:

HSTS Preload is a domain list baked into browsers (Chrome, Firefox, Safari, Edge). All requests to preloaded domains ALWAYS use HTTPS, even on the first visit. Submit at hstspreload.org — requires HSTS header with includeSubDomains; preload; max-age ≥ 31536000. Ultimate HTTPS protection.

Check your site's security →

What is HSTS Preload

HSTS Preload is a domain list baked into browsers (Chrome, Firefox, Safari, Edge). All requests to preloaded domains ALWAYS use HTTPS, even on the first visit. Submit at hstspreload.org — requires HSTS header with includeSubDomains; preload; max-age ≥ 31536000. Ultimate HTTPS protection.

Check HSTS Preload online

Open tool →

Understanding HSTS and Its Importance

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. By enforcing the use of HTTPS, HSTS ensures that all communications between the user's browser and the server are encrypted and secure.

When a domain is included in the HSTS Preload List, it signals to browsers that it should only be accessed using HTTPS. This is crucial for maintaining the integrity and confidentiality of data transmitted over the web. Moreover, it helps enhance user trust and can improve SEO rankings, as search engines favor sites that are secure.

To implement HSTS effectively, a domain must send the HSTS header in its responses. The header should include the following directives:

  • includeSubDomains: Applies HSTS to all subdomains
  • preload: Indicates the domain should be included in the HSTS Preload List
  • max-age=31536000: Specifies the duration (in seconds) that browsers should remember to enforce HSTS. A value of 31536000 seconds equals one year.

In summary, HSTS is a vital component of modern web security, and adding your domain to the HSTS Preload List significantly enhances its protection against potential vulnerabilities.

How to Check Your HSTS Implementation

Before submitting your domain to the HSTS Preload List, it's essential to verify that your HSTS implementation is working correctly. Here’s a step-by-step guide to check your HSTS settings:

  1. Use Browser Developer Tools: Open your website in a browser and access the Developer Tools (usually by right-clicking and selecting 'Inspect'). Navigate to the 'Network' tab, refresh the page, and click on your domain. Check the response headers for an entry that starts with Strict-Transport-Security:. It should look something like this:
  2. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  3. Online HSTS Checkers: Utilize online tools like hstspreload.org or SSL Labs to analyze your site’s HSTS configuration. These tools can provide insights into whether your HSTS settings are correctly applied.
  4. Command Line Tools: You can also use command-line tools like curl to check your HSTS header. Run the following command:
  5. curl -I https://yourdomain.com

    This will return the HTTP headers, and you should look for the Strict-Transport-Security header in the output.

By following these steps, you can ensure that your HSTS implementation is correctly set up and ready for submission to the HSTS Preload List.

Troubleshooting Common HSTS Issues

Implementing HSTS can sometimes lead to issues that may prevent your domain from being accepted into the HSTS Preload List. Here are some common problems and how to troubleshoot them:

  • Missing HSTS Header: Ensure that your server is configured to send the HSTS header. If it's missing, check your server configuration files (like nginx.conf or httpd.conf) to confirm that the header is included in the responses.
  • Incorrect Max-Age Value: The max-age directive must be set to a minimum of 31536000 seconds (1 year). If it's less than this, browsers may not recognize your domain as secure. Adjust your server settings accordingly.
  • Subdomain Coverage: If you have subdomains, ensure that includeSubDomains is specified in your HSTS header. Failing to do so may lead to incomplete protection and rejection from the preload list.
  • Not Serving Over HTTPS: Your domain must serve all resources over HTTPS. If any requests are made over HTTP, it will lead to a violation of HSTS policy. Ensure that all internal links, images, and scripts are served securely.

By addressing these common issues, you can streamline the process of submitting your domain to the HSTS Preload List and ensure maximum security for your users.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Do I need HSTS Preload?

See the use-case section above. For a quick check, use our online form.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.