HSTS preload requirements
To appear on the browser HSTS preload list, a site’s Strict-Transport-Security
header must meet specific rules from hstspreload.org. This reference explains
each requirement and includes a validator that checks a header value for
max-age, includeSubDomains and the preload directive.
What HSTS does and why preloading matters
Without HSTS, the very first time a user visits your site their browser may send a plain HTTP request — even if all subsequent visits use HTTPS. That first request is the window an attacker needs for a protocol downgrade or SSL-stripping attack. The Strict-Transport-Security header closes this gap for return visitors by telling the browser to always use HTTPS, but the very first visit is still unprotected.
Preloading closes the first-visit gap entirely. Browsers ship with a hard-coded list of domains (the preload list) that must always be loaded over HTTPS, even before the browser has ever seen the site. Once your domain is on that list, no user ever makes a plaintext request, regardless of what they type in the address bar.
How it works
HSTS is sent as a single response header over HTTPS:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
For preload, hstspreload.org requires max-age of at least one year
(31536000), the includeSubDomains directive, and the preload directive —
in addition to a valid certificate and HTTP-to-HTTPS redirects. The validator
parses the directives, confirms each rule, and reports what is missing.
The five preload requirements in detail
| Requirement | What to check |
|---|---|
| Valid TLS certificate | Serves a certificate that chains to a trusted root; no mixed-content warnings |
| HTTP redirects to HTTPS | http://yourdomain.com returns 301 or 302 to its HTTPS equivalent |
| All subdomains over HTTPS | Every subdomain that exists must serve valid HTTPS |
max-age ≥ 31536000 | Header must declare one year or more |
includeSubDomains + preload directives | Both tokens must be present in the header |
The validator here checks the header syntax; you need to verify the certificate and redirect rules yourself using a browser or curl -I http://yourdomain.com.
Common failure modes
“includeSubDomains” rejected because of a broken subdomain. If mail.yourdomain.com or dev.yourdomain.com serves HTTP-only or has a certificate error, adding includeSubDomains will break those subdomains for users whose browsers already received the HSTS policy. Audit all subdomains before enabling this directive.
Forgetting that preload is a long commitment. Removal from the preload list requires submitting a removal request and then waiting for the change to ship in browser releases. During that window, users whose browsers already have the preloaded entry can’t visit your site over HTTP even if you want them to. Treat preloading as permanent.
Setting max-age too short for non-preload HSTS. For ordinary (non-preloaded) HSTS, any max-age above zero works. But many security auditors and compliance tools flag values under 15768000 (six months) as weak. The one-year minimum for preloading is also a sensible floor for non-preloaded sites.
Tips and notes
- Start with a short
max-age(for example 86400, one day) while testing, then ramp to 31536000 once every subdomain is confirmed working. Only addpreloadat the end, once everything is stable. includeSubDomainsforces every subdomain to HTTPS; verify they all work first.- The base-domain HTTP response must redirect to its own HTTPS before anything else. Some hosts redirect www to non-www at the HTTP level, skipping the HTTPS step — that fails the requirement.
- Without
preload, the same header still enables ordinary dynamic HSTS, which protects all return visitors.