Advanced HSTS Preload Checker
Verify if your domain uses HTTP Strict Transport Security (HSTS) and is eligible for the Chrome HSTS Preload list.
This Tool is Totally Free
Mastering HSTS Preloading: A Complete Guide
Why HSTS Matters?
HTTP Strict Transport Security (HSTS) tells browsers that your site should only be accessed using HTTPS, never HTTP. The Preload List takes this a step further by baking this rule directly into the browser.
What is the HSTS Preload List?
The HSTS preload list is a list of domains baked into Google Chrome (and used by Firefox, Opera, Safari, Edge, and IE) that are hardcoded to be HTTPS-only. This means that even the very first connection to your domain is secure, preventing any opportunity for a man-in-the-middle attack to intercept the initial HTTP redirect.
Requirements for HSTS Preloading
To be accepted into the HSTS preload list, your site must serve a valid HSTS header on the response associated with the HSTS policy. The requirements are strict:
- Valid Certificate: Verify that you have a valid certificate for your domain.
- Redirect HTTP to HTTPS: Redirect all HTTP traffic to HTTPS on the same host.
- Serve all Subdomains: Serve all subdomains over HTTPS.
- HSTS Header on Base Domain: Serve an HSTS header on the base domain for HTTPS requests.
- Max-Age: The max-age must be at least 31536000 seconds (1 year).
- includeSubDomains: The includeSubDomains directive must be specified.
- Preload Directive: The preload directive must be specified.
How to Enable HSTS?
You enable HSTS by adding a response header to your web server configurations. Here are examples for common servers:
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Why use this Tool?
Checking eligibility manually can be tedious. This Advanced HSTS Preload Checker validates all criteria instantly, checks if you are already on the list (or pending), and identifies exactly what is missing if you aren't compliant. It provides a deeper insight than standard header checkers by querying the official HSTS Preload API status.
Frequently Asked Questions
Common questions about HSTS Preloading, requirements, and troubleshooting.
QWhat is the HSTS Preload List and why should I join?
QHow do I fix the 'max-age too short' error?
max-age directive must be at least 31536000 seconds (1 year) to be eligible for preloading. If you see this error, update your server config to set max-age=31536000 or higher. This ensures long-term protection for your users.QWhy is the 'includeSubDomains' directive mandatory?
includeSubDomains to ensure that all subdomains (e.g., mail.example.com, dev.example.com) are also protected by HTTPS. You cannot partialy preload a domain; it's an all-or-nothing security commitment.QWhat does 'Error: No HSTS header found' mean?
Strict-Transport-Security header in your site's response. Ensure potential redirects are correct and that you've applied the header to the HTTPS version of your site, not just HTTP.QCan I use HSTS without submitting to the Preload List?
QHow do I remove my domain from the HSTS Preload List?
preload directive from your header and submit a removal request at the official HstsPreload site. Caution: This can break access for users if your site is no longer HTTPS-ready.QDoes HSTS affect my SEO implementation?
QWhat if I have a subdomain that doesn't support HTTPS?
Related SSL & Security Tools
Explore more powerful tools in this category.
SSL Checker
Check SSL certificate chain status and expiration dates.
Advanced PEM TO PKCS#12
Securely convert PEM formatted certificates and keys to PKCS#12 (.p12) format.
Advanced PEM TO PKCS#7
Securely convert PEM formatted certificates to PKCS#7 (.p7b) format.
Advanced PKCS#12 TO PEM
Securely extract Private Keys and Certificates from PKCS#12 (.p12/.pfx) archives.
Advanced PKCS#7 TO PEM
Securely extract individual certificates from PKCS#7 (.p7b/.p7c) bundles.
Advanced PKCS#7 TO PKCS#12
Convert PKCS#7 (.p7b/.p7c) certificate bundles to PKCS#12 (.p12/.pfx) format with private key.
ACME Status Checker
Verify domain readiness for Let's Encrypt certificates (CAA, DNS-01, HTTP-01).
Certificate Decoder
Decode PEM certificates instantly to view details like CN, Issuer, and Validity.
Certificate Key Matcher
Securely check if your SSL Certificate or CSR matches your Private Key.
Advanced CSR Decoder
Decode and verify Certificate Signing Requests (CSR) instantly.
Advanced CSR Generator
Generate secure Certificate Signing Request (CSR) and Private Key pairs instantly.
Advanced Password Encryption Utility
Encrypt passwords using secure algorithms like Bcrypt, Argon2, SHA-256 and more.
Advance Online JWT Decoder
Decode and debug JSON Web Tokens (JWT) instantly. View Header, Payload, and Signature securely.
WebRTC Leak Tester
Check for WebRTC leaks that could reveal your real IP address.
Security Headers Scanner
Scan website security headers (CSP, HSTS, X-Frame) and get a security grade.
Advanced CSP Evaluator
Analyze and score your Content Security Policy (CSP) headers for security vulnerabilities.
Advanced CA Matcher
Verify Ca/End-Entity Certificate Chain, Check Issuer Matches and Key Identifiers instantly.
Advanced OCSP Status Checker
Check the revocation status of SSL/TLS certificates via OCSP instantly.
Advanced CAA Record Lookup
Check and verify Certification Authority Authorization (CAA) DNS records instantly.