Check HSTS Configuration
Inspect any domain's Strict-Transport-Security header instantly
Checking HSTS for …
- HSTS header present
- max-age ≥ 1 year
- includeSubDomains
- preload directive
- On browser preload list
- HTTP redirects to HTTPS
- Strict-Transport-Security
-- max-age
- -
- includeSubDomains
- -
- preload directive
- -
- Preload list status
- -
- HTTP → HTTPS redirect
- -
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy that tells browsers to only connect to your site over HTTPS - never HTTP. Once a browser sees the HSTS header, it will automatically upgrade any HTTP request to HTTPS for the duration of the max-age period, even before making a network request.
Prevents Downgrade Attacks
HSTS stops attackers from stripping HTTPS and intercepting traffic on HTTP — even if a user types http:// manually.
Preload List
Domains on the browser preload list are protected from the very first visit, before any HSTS header has been seen.
includeSubDomains
Adding includeSubDomains extends HSTS protection to every subdomain — essential for full coverage.
max-age Matters
Google recommends at least 31,536,000 seconds (1 year). The browser preload list requires a minimum of 10,886,400 seconds (18 weeks).
Need a Free SSL Certificate?
HSTS requires HTTPS. Generate a trusted SSL certificate powered by Let's Encrypt - completely free.