HSTS Preload 2026 — Global Adoption & Gotchas

Enterno.io Editorial Team

HSTS Preload: 2026 Adoption Report

By Anatoly Oshmanovsky · Updated Apr 17, 2026

Key idea:

Enterno.io audited HSTS across the top-10k sites (March 2026). 58% return a Strict-Transport-Security header. Of those, only 24% are in the Chromium HSTS preload list (built into the browser). Common mistakes: max-age below 31536000 (1 year) — 18%, missing includeSubDomains — 41%, preload directive without actually submitting to the list — 12%. TLS downgrade attacks still succeed against 42% of the top-10k.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Try it now — free →

Key Findings

Metric	Pass-rate / Value	Median	p75
Any HSTS header	58%	—	—
In Chromium preload list	24%	—	—
max-age ≥ 1 year	82% (of those with HSTS)	—	—
includeSubDomains	59%	—	—
preload directive	36%	—	—
All correct (preload-ready)	31%	—	—

Breakdown by Platform

Platform	Share	Pass / Detail	avg LCP
Cloudflare (default HSTS config)	21%	HSTS: 100% (toggle on)	—
Fastly	4%	HSTS: 93%	—
Nginx (direct)	28%	HSTS: 52%	—
Apache (direct)	18%	HSTS: 44%	—
WordPress (general)	12%	HSTS: 39%	—
1С-Bitrix	5%	HSTS: 28%	—

Why It Matters

HSTS preload blocks 100% of TLS stripping attacks from the first time the host is typed (no TOFU)
A too-low max-age lets an attacker wait for it to expire and then strike
includeSubDomains protects subdomains from MITM — critical for *.bank.example patterns
Getting into the preload list is hard (requires ≥ 1 year max-age + includeSubDomains); getting out is also hard — removal takes 6+ months

Methodology

Crawl of the top-10k Tranco (March 2026). Strict-Transport-Security header extracted via curl -I. max-age, includeSubDomains and preload directives parsed by regex. Presence in the preload list verified via hstspreload.org/api/v2/status?domain=X.

HeadersCSP, HSTS, X-Frame-Options, etc.

SSL/TLSEncryption and certificate

ConfigurationServer settings and leaks

Grade A-FOverall security score

Why teams trust us

OWASP

guidelines

15+

security headers

<2s

result

A–F

security grade

How it works

Enter site URL

Security headers analyzed

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

❌

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.

❌

Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.

❌

Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.

❌

X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.

❌

Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

✓

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.

✓

Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.

✓

Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.

✓

Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.

✓

Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

What is the difference between HSTS header and the preload list?

The HSTS header asks the browser on first visit to "always use HTTPS for N seconds". That is TOFU (trust on first use) — the first HTTP visit is still vulnerable. The preload list ships with the browser, so no HTTP redirect is ever needed.

How do I get into the preload list?

1) HSTS header with max-age ≥ 31536000 (1 year), includeSubDomains and the preload directive. 2) All subdomains serve HTTPS. 3) Submit at <a href="https://hstspreload.org/">hstspreload.org</a>. Chrome review ~1-2 weeks.

What if I need to remove HSTS preload?

Not quickly reversible. Removal via hstspreload.org waits for the next Chrome release cycle (~6 weeks). Until then the site must stay on HTTPS — HTTP redirects do not help.

How do I check HSTS for a specific site?

<a href="/en/security">Enterno Security Scanner</a> checks all security headers including HSTS. Or: <code>curl -I https://example.com | grep -i strict</code>.