Measured data (Key Findings) shows that the pass-rate for any HSTS header is 58%, while the pass-rate for the Chromium preload list is 24%. For those with HSTS, the pass-rate for max-age ≥ 1 year is 82%. The pass-rate for includeSubDomains is 59%, and the pass-rate for the preload directive is 36%. Full tables are below on this page.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Free online tool — website security scanner: instant results, no signup.
| Metric | Pass-rate / Value | Median | p75 |
|---|---|---|---|
| Any HSTS header | 58% | — | — |
| In Chromium preload list | 24% | — | — |
| max-age ≥ 1 year | 82% (of those with HSTS) | — | — |
| includeSubDomains | 59% | — | — |
| preload directive | 36% | — | — |
| All correct (preload-ready) | 31% | — | — |
| Platform | Share | Pass / Detail | avg LCP |
|---|---|---|---|
| Cloudflare (default HSTS config) | 21% | HSTS: 100% (toggle on) | — |
| Fastly | 4% | HSTS: 93% | — |
| Nginx (direct) | 28% | HSTS: 52% | — |
| Apache (direct) | 18% | HSTS: 44% | — |
| WordPress (general) | 12% | HSTS: 39% | — |
| 1С-Bitrix | 5% | HSTS: 28% | — |
Crawl of the top-10k Tranco (March 2026). Strict-Transport-Security header extracted via curl -I. max-age, includeSubDomains and preload directives parsed by regex. Presence in the preload list verified via hstspreload.org/api/v2/status?domain=X.
HSTS Preload is a critical security feature that forces browsers to communicate over HTTPS exclusively. As of 2026, global adoption is accelerating, with over 2,000 domains preloaded in major browsers like Chrome and Firefox. To add your domain, ensure it meets the requirements outlined at hstspreload.org. Key gotchas include misconfigurations, the necessity for a valid SSL certificate, and understanding the 18-month expiry rule for HSTS headers.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. The HSTS preload list is a collection of websites that enforce HSTS by default, which browsers reference to enhance security.
To successfully implement HSTS Preload for your domain, you must adhere to specific requirements:
Strict-Transport-Security header in your server responses. The minimum configuration should look like this:Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadThis configuration specifies a max-age of at least one year, includes subdomains, and signals to browsers that your domain should be preloaded.
To check if your domain is correctly configured, you can use the following command:
curl -I https://yourdomain.comIf your HSTS header is correctly configured, you should see it in the response headers. Ensure your response includes the includeSubDomains directive for broader security coverage.
Once your configuration is in place, you can submit your domain to the HSTS preload list via hstspreload.org. Keep in mind that once preloaded, it can be challenging to remove your domain from the list, requiring a full cache clearance across browsers.
While implementing HSTS Preload can significantly enhance your website's security, there are several common pitfalls and gotchas that practitioners should be aware of to avoid service interruptions and security lapses.
includeSubDomains, browsers will not enforce HSTS on your subdomains, potentially leaving them vulnerable.For example, consider a scenario where a website is preloaded but has an expired SSL certificate. Users attempting to access the site will receive a security warning, and they may be discouraged from proceeding. To prevent this, implement regular checks using tools like SSL Labs to monitor certificate validity.
Another common mistake is failing to account for the 18-month expiry rule. If you decide to remove HSTS from your domain, you must wait 18 months for browsers to clear the preload cache. During this time, users will continue to be forced to connect via HTTPS, regardless of your current server configuration.
In summary, while HSTS Preload offers robust security benefits, careful attention to detail during implementation is crucial. Regular audits and monitoring of your HSTS settings, SSL certificates, and server configurations will help maintain a secure web environment.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeThe HSTS header asks the browser on first visit to "always use HTTPS for N seconds". That is TOFU (trust on first use) — the first HTTP visit is still vulnerable. The preload list ships with the browser, so no HTTP redirect is ever needed.
1) HSTS header with max-age ≥ 31536000 (1 year), includeSubDomains and the preload directive. 2) All subdomains serve HTTPS. 3) Submit at <a href="https://hstspreload.org/">hstspreload.org</a>. Chrome review ~1-2 weeks.
Not quickly reversible. Removal via hstspreload.org waits for the next Chrome release cycle (~6 weeks). Until then the site must stay on HTTPS — HTTP redirects do not help.
<a href="/en/security">Enterno Security Scanner</a> checks all security headers including HSTS. Or: <code>curl -I https://example.com | grep -i strict</code>.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.