Skip to content

HSTS Preload: 2026 Adoption Report

Key idea:

Measured data (Key Findings) shows that the pass-rate for any HSTS header is 58%, while the pass-rate for the Chromium preload list is 24%. For those with HSTS, the pass-rate for max-age ≥ 1 year is 82%. The pass-rate for includeSubDomains is 59%, and the pass-rate for the preload directive is 36%. Full tables are below on this page.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Check your site's security →

Key Findings

MetricPass-rate / ValueMedianp75
Any HSTS header58%
In Chromium preload list24%
max-age ≥ 1 year82% (of those with HSTS)
includeSubDomains59%
preload directive36%
All correct (preload-ready)31%

Breakdown by Platform

PlatformSharePass / Detailavg LCP
Cloudflare (default HSTS config)21%HSTS: 100% (toggle on)
Fastly4%HSTS: 93%
Nginx (direct)28%HSTS: 52%
Apache (direct)18%HSTS: 44%
WordPress (general)12%HSTS: 39%
1С-Bitrix5%HSTS: 28%

Why It Matters

  • HSTS preload blocks 100% of TLS stripping attacks from the first time the host is typed (no TOFU)
  • A too-low max-age lets an attacker wait for it to expire and then strike
  • includeSubDomains protects subdomains from MITM — critical for *.bank.example patterns
  • Getting into the preload list is hard (requires ≥ 1 year max-age + includeSubDomains); getting out is also hard — removal takes 6+ months

Methodology

Crawl of the top-10k Tranco (March 2026). Strict-Transport-Security header extracted via curl -I. max-age, includeSubDomains and preload directives parsed by regex. Presence in the preload list verified via hstspreload.org/api/v2/status?domain=X.

TL;DR: HSTS Preload 2026 Overview

HSTS Preload is a critical security feature that forces browsers to communicate over HTTPS exclusively. As of 2026, global adoption is accelerating, with over 2,000 domains preloaded in major browsers like Chrome and Firefox. To add your domain, ensure it meets the requirements outlined at hstspreload.org. Key gotchas include misconfigurations, the necessity for a valid SSL certificate, and understanding the 18-month expiry rule for HSTS headers.

Understanding HSTS Preload: Implementation and Requirements

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. The HSTS preload list is a collection of websites that enforce HSTS by default, which browsers reference to enhance security.

To successfully implement HSTS Preload for your domain, you must adhere to specific requirements:

  • Valid SSL Certificate: Your site must be served over HTTPS with a valid SSL certificate.
  • HSTS Header: You need to include the Strict-Transport-Security header in your server responses. The minimum configuration should look like this:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

This configuration specifies a max-age of at least one year, includes subdomains, and signals to browsers that your domain should be preloaded.

To check if your domain is correctly configured, you can use the following command:

curl -I https://yourdomain.com

If your HSTS header is correctly configured, you should see it in the response headers. Ensure your response includes the includeSubDomains directive for broader security coverage.

Once your configuration is in place, you can submit your domain to the HSTS preload list via hstspreload.org. Keep in mind that once preloaded, it can be challenging to remove your domain from the list, requiring a full cache clearance across browsers.

Common Gotchas with HSTS Preload Implementation

While implementing HSTS Preload can significantly enhance your website's security, there are several common pitfalls and gotchas that practitioners should be aware of to avoid service interruptions and security lapses.

  • Incorrectly Configured HSTS Header: One of the most common issues is improperly setting the HSTS header. For instance, if you forget to include includeSubDomains, browsers will not enforce HSTS on your subdomains, potentially leaving them vulnerable.
  • Non-HTTPS Content: After enabling HSTS, ensure all resources (images, scripts, etc.) are served over HTTPS. Mixed content can lead to security warnings and degraded user experience.
  • SSL Certificate Expiry: If your SSL certificate expires, browsers will no longer enforce HSTS, which can lead to significant security risks. Regularly monitor your SSL certificate's status and renew it promptly.
  • Testing in Local Environments: Developers often test websites in local environments without HTTPS. Remember that HSTS cannot be bypassed if a domain is preloaded, making local testing challenging. Use a staging environment with HTTPS enabled for testing.

For example, consider a scenario where a website is preloaded but has an expired SSL certificate. Users attempting to access the site will receive a security warning, and they may be discouraged from proceeding. To prevent this, implement regular checks using tools like SSL Labs to monitor certificate validity.

Another common mistake is failing to account for the 18-month expiry rule. If you decide to remove HSTS from your domain, you must wait 18 months for browsers to clear the preload cache. During this time, users will continue to be forced to connect via HTTPS, regardless of your current server configuration.

In summary, while HSTS Preload offers robust security benefits, careful attention to detail during implementation is crucial. Regular audits and monitoring of your HSTS settings, SSL certificates, and server configurations will help maintain a secure web environment.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

What is the difference between HSTS header and the preload list?

The HSTS header asks the browser on first visit to "always use HTTPS for N seconds". That is TOFU (trust on first use) — the first HTTP visit is still vulnerable. The preload list ships with the browser, so no HTTP redirect is ever needed.

How do I get into the preload list?

1) HSTS header with max-age ≥ 31536000 (1 year), includeSubDomains and the preload directive. 2) All subdomains serve HTTPS. 3) Submit at <a href="https://hstspreload.org/">hstspreload.org</a>. Chrome review ~1-2 weeks.

What if I need to remove HSTS preload?

Not quickly reversible. Removal via hstspreload.org waits for the next Chrome release cycle (~6 weeks). Until then the site must stay on HTTPS — HTTP redirects do not help.

How do I check HSTS for a specific site?

<a href="/en/security">Enterno Security Scanner</a> checks all security headers including HSTS. Or: <code>curl -I https://example.com | grep -i strict</code>.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.