Advanced HSTS Preload Checker

Verify if your domain uses HTTP Strict Transport Security (HSTS) and is eligible for the Chrome HSTS Preload list.

This Tool is Totally Free

Mastering HSTS Preloading: A Complete Guide

Why HSTS Matters?

HTTP Strict Transport Security (HSTS) tells browsers that your site should only be accessed using HTTPS, never HTTP. The Preload List takes this a step further by baking this rule directly into the browser.

What is the HSTS Preload List?

The HSTS preload list is a list of domains baked into Google Chrome (and used by Firefox, Opera, Safari, Edge, and IE) that are hardcoded to be HTTPS-only. This means that even the very first connection to your domain is secure, preventing any opportunity for a man-in-the-middle attack to intercept the initial HTTP redirect.

Requirements for HSTS Preloading

To be accepted into the HSTS preload list, your site must serve a valid HSTS header on the response associated with the HSTS policy. The requirements are strict:

  • Valid Certificate: Verify that you have a valid certificate for your domain.
  • Redirect HTTP to HTTPS: Redirect all HTTP traffic to HTTPS on the same host.
  • Serve all Subdomains: Serve all subdomains over HTTPS.
  • HSTS Header on Base Domain: Serve an HSTS header on the base domain for HTTPS requests.
  • Max-Age: The max-age must be at least 31536000 seconds (1 year).
  • includeSubDomains: The includeSubDomains directive must be specified.
  • Preload Directive: The preload directive must be specified.

How to Enable HSTS?

You enable HSTS by adding a response header to your web server configurations. Here are examples for common servers:

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Why use this Tool?

Checking eligibility manually can be tedious. This Advanced HSTS Preload Checker validates all criteria instantly, checks if you are already on the list (or pending), and identifies exactly what is missing if you aren't compliant. It provides a deeper insight than standard header checkers by querying the official HSTS Preload API status.

Frequently Asked Questions

Common questions about HSTS Preloading, requirements, and troubleshooting.

QWhat is the HSTS Preload List and why should I join?

The HSTS Preload List is a list of domains hardcoded into Chrome (and other browsers) as being HTTPS-only. Joining ensures your site is secure from the very first connection, protecting users even before they reach your server. Source: hstspreload.org.

QHow do I fix the 'max-age too short' error?

The HSTS max-age directive must be at least 31536000 seconds (1 year) to be eligible for preloading. If you see this error, update your server config to set max-age=31536000 or higher. This ensures long-term protection for your users.

QWhy is the 'includeSubDomains' directive mandatory?

The HSTS Preload list requires includeSubDomains to ensure that all subdomains (e.g., mail.example.com, dev.example.com) are also protected by HTTPS. You cannot partialy preload a domain; it's an all-or-nothing security commitment.

QWhat does 'Error: No HSTS header found' mean?

This error means our tool couldn't detect the Strict-Transport-Security header in your site's response. Ensure potential redirects are correct and that you've applied the header to the HTTPS version of your site, not just HTTP.

QCan I use HSTS without submitting to the Preload List?

Yes! You can enable HSTS headers on your server to protect recurring visitors. However, without Preloading, first-time visitors are still vulnerable to stripping attacks during the initial HTTP-to-HTTPS redirect. Preloading closes this small gap.

QHow do I remove my domain from the HSTS Preload List?

Removal is difficult and slow (taking months to propagate to all browser users). You must remove the preload directive from your header and submit a removal request at the official HstsPreload site. Caution: This can break access for users if your site is no longer HTTPS-ready.

QDoes HSTS affect my SEO implementation?

Indirectly, yes, in a positive way. Google favors HTTPS sites. HSTS ensures HTTPS is enforced. Just ensure your 301 redirects from HTTP to HTTPS are configured correctly alongside HSTS to avoid redirect loops or crawl errors.

QWhat if I have a subdomain that doesn't support HTTPS?

If ANY subdomain (internal or external) does not support HTTPS, do not submit your root domain to the Preload list. Doing so will break access to that subdomain for all users. You must migrate all services to HTTPS first.

Related SSL & Security Tools

Explore more powerful tools in this category.

SSL Checker

Check SSL certificate chain status and expiration dates.

Advanced PEM TO PKCS#12

Securely convert PEM formatted certificates and keys to PKCS#12 (.p12) format.

Advanced PEM TO PKCS#7

Securely convert PEM formatted certificates to PKCS#7 (.p7b) format.

Advanced PKCS#12 TO PEM

Securely extract Private Keys and Certificates from PKCS#12 (.p12/.pfx) archives.

Advanced PKCS#7 TO PEM

Securely extract individual certificates from PKCS#7 (.p7b/.p7c) bundles.

Advanced PKCS#7 TO PKCS#12

Convert PKCS#7 (.p7b/.p7c) certificate bundles to PKCS#12 (.p12/.pfx) format with private key.

ACME Status Checker

Verify domain readiness for Let's Encrypt certificates (CAA, DNS-01, HTTP-01).

Certificate Decoder

Decode PEM certificates instantly to view details like CN, Issuer, and Validity.

Certificate Key Matcher

Securely check if your SSL Certificate or CSR matches your Private Key.

Advanced CSR Decoder

Decode and verify Certificate Signing Requests (CSR) instantly.

Advanced CSR Generator

Generate secure Certificate Signing Request (CSR) and Private Key pairs instantly.

Advanced Password Encryption Utility

Encrypt passwords using secure algorithms like Bcrypt, Argon2, SHA-256 and more.

Advance Online JWT Decoder

Decode and debug JSON Web Tokens (JWT) instantly. View Header, Payload, and Signature securely.

WebRTC Leak Tester

Check for WebRTC leaks that could reveal your real IP address.

Security Headers Scanner

Scan website security headers (CSP, HSTS, X-Frame) and get a security grade.

Advanced CSP Evaluator

Analyze and score your Content Security Policy (CSP) headers for security vulnerabilities.

Advanced CA Matcher

Verify Ca/End-Entity Certificate Chain, Check Issuer Matches and Key Identifiers instantly.

Advanced OCSP Status Checker

Check the revocation status of SSL/TLS certificates via OCSP instantly.

Advanced CAA Record Lookup

Check and verify Certification Authority Authorization (CAA) DNS records instantly.