HSTS Preload Checker

Check HSTS headers and preload list status for any domain.

What This Tool Checks

Complete HSTS analysis including preload list verification.

HSTS Header Analysis

Parses the Strict-Transport-Security header to extract max-age, includeSubDomains, and preload directives.

Preload List Lookup

Checks the official hstspreload.org API to see if the domain is preloaded, pending, or not listed.

Eligibility Validation

Verifies all five requirements for HSTS preload submission with a clear pass/fail checklist.

Issue Detection

Identifies problems like insufficient max-age, missing directives, or HTTPS connectivity issues.

How It Works

Three steps to check your domain's HSTS configuration.

Enter a Domain

Type your domain name. No need to include https:// — the tool handles that automatically.

Analyze HSTS

The tool fetches the HTTPS response, parses the HSTS header, and queries the preload list API.

Review Status

See your preload status, header details, eligibility checklist, and any issues to fix.

Frequently Asked Questions

HTTP Strict Transport Security (HSTS) is a security header that tells browsers to only connect to your site over HTTPS. Once a browser sees this header, it will automatically upgrade all HTTP requests to HTTPS for the duration specified by max-age, preventing protocol downgrade attacks.

The HSTS preload list is a list of domains hardcoded into browsers (Chrome, Firefox, Safari, Edge) that are only accessed over HTTPS. Being on this list means browsers enforce HTTPS from the very first visit, before even seeing the HSTS header, eliminating the first-visit vulnerability.

First, ensure your HSTS header includes max-age of at least 31536000 (1 year), the includeSubDomains directive, and the preload directive. Then visit hstspreload.org and submit your domain. Note that preloading affects all subdomains and is difficult to undo.

The preload list applies to the entire domain including all subdomains. The includeSubDomains directive ensures your HSTS policy already covers them. Without it, subdomains could still be accessed over HTTP, creating a security gap that preloading is meant to close.