HSTS Preload Checker
Check if your domain is on the HSTS preload list and validate your Strict-Transport-Security header. Verifies max-age, includeSubDomains, and preload flags required for Chrome/Firefox preloading. Get eligibility status and configuration score.
How to Use HSTS Preload Checker
- 1Enter your domain name to check HSTS configuration.
- 2The tool fetches your site's Strict-Transport-Security header and parses it.
- 3Preload list membership is checked against the Chrome/Firefox HSTS preload database.
- 4Eligibility requirements and any configuration issues are shown.
Zenovay
Privacy-first analytics for your website
Understand your visitors without invasive tracking. GDPR compliant, lightweight, and powerful.
Related Tools
Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.
Frequently Asked Questions
What is HSTS and why is it important?▾
HTTP Strict Transport Security (HSTS) tells browsers that your site should only be accessed over HTTPS, never HTTP. Once a browser sees the Strict-Transport-Security header, it will automatically convert all HTTP requests to HTTPS for the duration of max-age. This prevents SSL stripping attacks where attackers intercept HTTP traffic before it can redirect to HTTPS. HSTS is a critical security header for any HTTPS-enabled site.
What is the HSTS preload list?▾
The HSTS preload list is a hardcoded list of domains built into browsers (Chrome, Firefox, Safari, Edge) that are always loaded over HTTPS — even on the very first visit, before any HSTS header is seen. This closes the window of vulnerability that exists when a user visits a site for the first time over HTTP. To be on the preload list, your domain must have HSTS with max-age ≥ 31536000, includeSubDomains, and the preload directive.
What are the requirements for HSTS preload eligibility?▾
Your domain must: (1) Serve a valid HTTPS certificate, (2) Redirect all HTTP traffic to HTTPS, (3) Have the Strict-Transport-Security header on HTTPS responses with max-age of at least 31536000 (1 year), (4) Include the includeSubDomains directive, and (5) Include the preload directive. All subdomains must also be accessible over HTTPS (the includeSubDomains requirement covers them). Submit at hstspreload.org.
What max-age value should I use?▾
For initial deployment, start with a short max-age (e.g., 300 seconds) to test without locking visitors in. Gradually increase to 1 month, then 6 months, then 1 year (31536000 seconds). The 1-year value is required for preload list eligibility. WARNING: Once HSTS is active with a long max-age, you cannot easily switch back to HTTP — your site must maintain HTTPS for the entire duration, or visitors will be unable to access it.
Does HSTS protect against all MITM attacks?▾
HSTS protects against SSL stripping and protocol downgrade attacks after the first visit. However, the first visit is still vulnerable if the user connects via HTTP (the TOFU problem — Trust On First Use). The preload list solves this by ensuring browsers enforce HTTPS from the first request. HSTS does not protect against certificate authority compromise or if your HTTPS certificate is invalid — that requires Certificate Transparency (CT) monitoring and CAA DNS records.