HSTS Checker

Test whether a domain has HTTP Strict Transport Security configured correctly - including preload list status and HTTP redirect behaviour.

Check HSTS Configuration

Inspect any domain's Strict-Transport-Security header instantly

Try:

Checking HSTS for

HSTS Grade
-
Security Checks
  • HSTS header present
  • max-age ≥ 1 year
  • includeSubDomains
  • preload directive
  • On browser preload list
  • HTTP redirects to HTTPS
Header & Directives
Strict-Transport-Security
-
max-age
-
includeSubDomains
-
preload directive
-
Preload list status
-
HTTP → HTTPS redirect
-

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy that tells browsers to only connect to your site over HTTPS - never HTTP. Once a browser sees the HSTS header, it will automatically upgrade any HTTP request to HTTPS for the duration of the max-age period, even before making a network request.

Prevents Downgrade Attacks

HSTS stops attackers from stripping HTTPS and intercepting traffic on HTTP — even if a user types http:// manually.

Preload List

Domains on the browser preload list are protected from the very first visit, before any HSTS header has been seen.

includeSubDomains

Adding includeSubDomains extends HSTS protection to every subdomain — essential for full coverage.

max-age Matters

Google recommends at least 31,536,000 seconds (1 year). The browser preload list requires a minimum of 10,886,400 seconds (18 weeks).

Need a Free SSL Certificate?

HSTS requires HTTPS. Generate a trusted SSL certificate powered by Let's Encrypt - completely free.