HTTP Strict Transport Security (HSTS) is a response header that forces browsers to use HTTPS for a domain, defeating SSL-stripping attacks that silently downgrade users to plaintext connections where traffic can be intercepted. The header is easy to get subtly wrong — too short a max-age, a missing includeSubDomains, or a preload directive that was never actually submitted to the preload list. This checker parses your header value, scores it against current best practice, and tells you exactly what to change.
How it works
A properly configured HSTS header looks like:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
The tool parses the three components and applies the recommended rules:
1. max-age
Must be present and at least 31536000 seconds (one year). This tells the browser how long to remember the HTTPS-only instruction and refuse to connect over HTTP. A max-age shorter than one year is flagged; a missing max-age means no HSTS policy is in effect at all.
Common values:
31536000— one year (minimum recommended)63072000— two years (common for production sites)10886400— 18 weeks (a conservative ramp-up value)
2. includeSubDomains Extends the HTTPS-only policy to every subdomain of the domain that sent the header. Required for preload submission. Only add this when you are certain all subdomains (including ones you have forgotten about) serve valid HTTPS — enabling it on a subdomain that only serves HTTP will lock users out.
3. preload
A signal that the site owner wants the domain added to browsers’ built-in HSTS preload list, so HTTPS is enforced from the very first visit — before any header has been received. Adding the preload directive in the header alone does nothing until the domain is submitted at hstspreload.org and accepted into the list. Preload requires both includeSubDomains and a max-age of at least one year.
Getting onto the preload list: the exact requirements
The hstspreload.org submission checks four conditions:
max-age≥ 31536000includeSubDomainspresentpreloadpresent- The domain serves a valid HTTPS response (not just a redirect)
All four must be true simultaneously. The checker validates all of these from the header value you paste.
Safe rollout sequence
HSTS is difficult to reverse — once a browser caches a long max-age, it will refuse HTTP for that domain for the full duration even if you remove the header. Roll out in stages:
- Stage 1 — test: Deploy the header with
max-age=300(5 minutes). Verify HTTPS works on the root domain and all subdomains you care about. - Stage 2 — ramp: Increase to
max-age=86400(24 hours). Monitor for any HTTP-only subdomain complaints. - Stage 3 — production: Increase to
max-age=31536000. AddincludeSubDomainsonce all subdomains are confirmed HTTPS. - Stage 4 — preload: Add
preloadand submit tohstspreload.org. This is permanent — removing from the preload list takes months to propagate.
Common mistakes
- Sending HSTS over HTTP: Browsers ignore HSTS headers received on a plain HTTP response. The header must arrive on an HTTPS connection to be honoured.
- Adding preload before confirming all subdomains: A forgotten
http://internal.example.comsubdomain will become unreachable for all users once preload propagates. - Forgetting to actually submit: Adding
preloadto the header without submitting tohstspreload.orgdoes nothing for preloading — the directive is a prerequisite for submission, not the submission itself.