HSTS Header Checker

Paste a Strict-Transport-Security header and verify max-age, subdomains, and preload

Parse a Strict-Transport-Security header and validate the max-age against the recommended one-year minimum, confirm includeSubDomains, and check preload eligibility. Returns a compliance score with specific, actionable recommendations. Runs entirely in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What max-age should I use for HSTS?

The minimum recommended max-age is one year, 31536000 seconds. For preload-list submission the max-age must be at least one year as well. Many sites use two years (63072000) for extra margin.

HTTP Strict Transport Security (HSTS) is a response header that forces browsers to use HTTPS for a domain, defeating SSL-stripping attacks that silently downgrade users to plaintext connections where traffic can be intercepted. The header is easy to get subtly wrong — too short a max-age, a missing includeSubDomains, or a preload directive that was never actually submitted to the preload list. This checker parses your header value, scores it against current best practice, and tells you exactly what to change.

How it works

A properly configured HSTS header looks like:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The tool parses the three components and applies the recommended rules:

1. max-age Must be present and at least 31536000 seconds (one year). This tells the browser how long to remember the HTTPS-only instruction and refuse to connect over HTTP. A max-age shorter than one year is flagged; a missing max-age means no HSTS policy is in effect at all.

Common values:

  • 31536000 — one year (minimum recommended)
  • 63072000 — two years (common for production sites)
  • 10886400 — 18 weeks (a conservative ramp-up value)

2. includeSubDomains Extends the HTTPS-only policy to every subdomain of the domain that sent the header. Required for preload submission. Only add this when you are certain all subdomains (including ones you have forgotten about) serve valid HTTPS — enabling it on a subdomain that only serves HTTP will lock users out.

3. preload A signal that the site owner wants the domain added to browsers’ built-in HSTS preload list, so HTTPS is enforced from the very first visit — before any header has been received. Adding the preload directive in the header alone does nothing until the domain is submitted at hstspreload.org and accepted into the list. Preload requires both includeSubDomains and a max-age of at least one year.

Getting onto the preload list: the exact requirements

The hstspreload.org submission checks four conditions:

  1. max-age ≥ 31536000
  2. includeSubDomains present
  3. preload present
  4. The domain serves a valid HTTPS response (not just a redirect)

All four must be true simultaneously. The checker validates all of these from the header value you paste.

Safe rollout sequence

HSTS is difficult to reverse — once a browser caches a long max-age, it will refuse HTTP for that domain for the full duration even if you remove the header. Roll out in stages:

  1. Stage 1 — test: Deploy the header with max-age=300 (5 minutes). Verify HTTPS works on the root domain and all subdomains you care about.
  2. Stage 2 — ramp: Increase to max-age=86400 (24 hours). Monitor for any HTTP-only subdomain complaints.
  3. Stage 3 — production: Increase to max-age=31536000. Add includeSubDomains once all subdomains are confirmed HTTPS.
  4. Stage 4 — preload: Add preload and submit to hstspreload.org. This is permanent — removing from the preload list takes months to propagate.

Common mistakes

  • Sending HSTS over HTTP: Browsers ignore HSTS headers received on a plain HTTP response. The header must arrive on an HTTPS connection to be honoured.
  • Adding preload before confirming all subdomains: A forgotten http://internal.example.com subdomain will become unreachable for all users once preload propagates.
  • Forgetting to actually submit: Adding preload to the header without submitting to hstspreload.org does nothing for preloading — the directive is a prerequisite for submission, not the submission itself.