HSTS Preload is a domain list baked into browsers (Chrome, Firefox, Safari, Edge). All requests to preloaded domains ALWAYS use HTTPS, even on the first visit. Submit at hstspreload.org — requires HSTS header with includeSubDomains; preload; max-age ≥ 31536000. Ultimate HTTPS protection.
Free online tool — website security scanner: instant results, no signup.
HSTS Preload is a domain list baked into browsers (Chrome, Firefox, Safari, Edge). All requests to preloaded domains ALWAYS use HTTPS, even on the first visit. Submit at hstspreload.org — requires HSTS header with includeSubDomains; preload; max-age ≥ 31536000. Ultimate HTTPS protection.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. By enforcing the use of HTTPS, HSTS ensures that all communications between the user's browser and the server are encrypted and secure.
When a domain is included in the HSTS Preload List, it signals to browsers that it should only be accessed using HTTPS. This is crucial for maintaining the integrity and confidentiality of data transmitted over the web. Moreover, it helps enhance user trust and can improve SEO rankings, as search engines favor sites that are secure.
To implement HSTS effectively, a domain must send the HSTS header in its responses. The header should include the following directives:
includeSubDomains: Applies HSTS to all subdomainspreload: Indicates the domain should be included in the HSTS Preload Listmax-age=31536000: Specifies the duration (in seconds) that browsers should remember to enforce HSTS. A value of 31536000 seconds equals one year.In summary, HSTS is a vital component of modern web security, and adding your domain to the HSTS Preload List significantly enhances its protection against potential vulnerabilities.
Before submitting your domain to the HSTS Preload List, it's essential to verify that your HSTS implementation is working correctly. Here’s a step-by-step guide to check your HSTS settings:
Strict-Transport-Security:. It should look something like this:Strict-Transport-Security: max-age=31536000; includeSubDomains; preload curl to check your HSTS header. Run the following command:curl -I https://yourdomain.com This will return the HTTP headers, and you should look for the Strict-Transport-Security header in the output.
By following these steps, you can ensure that your HSTS implementation is correctly set up and ready for submission to the HSTS Preload List.
Implementing HSTS can sometimes lead to issues that may prevent your domain from being accepted into the HSTS Preload List. Here are some common problems and how to troubleshoot them:
nginx.conf or httpd.conf) to confirm that the header is included in the responses.max-age directive must be set to a minimum of 31536000 seconds (1 year). If it's less than this, browsers may not recognize your domain as secure. Adjust your server settings accordingly.includeSubDomains is specified in your HSTS header. Failing to do so may lead to incomplete protection and rejection from the preload list.By addressing these common issues, you can streamline the process of submitting your domain to the HSTS Preload List and ensure maximum security for your users.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeSee the use-case section above. For a quick check, use our online form.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.