Loading...
WebShield Audit
HSTS & HSTS Preload Checker
Test HSTS before you preload - because you only get to do it wrong once.
Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.
HSTS tells browsers to refuse HTTP for your domain - permanently. Get it right, and SSL stripping is dead on your site. Get it wrong (short max-age, missing includeSubDomains, a broken HTTPS cert on a subdomain), and your preload submission either bounces or - worse - locks real users out. This checker verifies every requirement the Chromium HSTS preload list enforces, before you ship.
What this tool checks
- Strict-Transport-Security header present on HTTPS response
- max-age ≥ 31,536,000 (one year) for preload eligibility
- includeSubDomains directive
- preload directive
- Header not served over plain HTTP (which browsers ignore)
- HTTP → HTTPS redirect issues HSTS on the final response
- Subdomain reachability on HTTPS (the silent preload killer)
Why it matters
Without HSTS, an attacker on the same network (airport Wi-Fi, a compromised router, a hostile ISP) can silently downgrade the first request to your site to HTTP and sit in the middle. With HSTS - especially preloaded - the browser refuses to even try HTTP. It is the single highest-leverage transport-security header you can ship.
How WebShield tests this
WebShield issues an HTTPS request, follows redirects, and inspects the Strict-Transport-Security header on the final response. max-age, includeSubDomains and preload are parsed out. The scanner also cross-checks whether the header is being served on the correct response (plain-HTTP responses with HSTS are a common misconfiguration that browsers silently discard).
Paste-ready fixes
Nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;Apache
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"Vercel
{
"headers": [
{
"source": "/(.*)",
"headers": [
{
"key": "Strict-Transport-Security",
"value": "max-age=63072000; includeSubDomains; preload"
}
]
}
]
}Cloudflare
Dashboard → SSL/TLS → Edge Certificates → Enable HSTS
Max-Age: 12 months
Apply HSTS to subdomains: On
Preload: On (only after verifying all subdomains are HTTPS-capable)Frequently asked
What is HSTS preload?
The HSTS preload list is a hard-coded list of domains shipped with Chromium, Firefox, Safari and Edge. Browsers refuse HTTP for any domain on the list from the very first request - no trust-on-first-use gap. You submit at hstspreload.org once max-age=31536000, includeSubDomains and preload are all present.
Is preload reversible?
Practically, no. Removal requests are accepted, but it takes months for browser updates to propagate, and some users never update. Do not preload unless every single current and future subdomain will resolve over HTTPS with a valid certificate.
What max-age should I use while testing?
Start with max-age=300 (five minutes) to verify the header ships. Ramp to 86400 (one day), then 2592000 (one month), then 31536000 (one year). Only add preload after you have been on 31536000 for at least a week without issues.
Does HSTS protect the first visit?
Not by itself - a first-time visitor on a hostile network can still be stripped. That is exactly the gap the preload list closes: for preloaded domains, the browser already knows to require HTTPS before the user ever connects.
Related
Knowledge base
Missing HTTP Strict Transport Security (HSTS)
High severity · Transport
Knowledge base
Mixed Content (Insecure Resources)
High severity · Transport
Knowledge base
Weak TLS Protocols Enabled (TLS 1.0 / 1.1)
High severity · Transport
Deep guide
HSTS: A Complete, Rollback-Safe Setup Guide
The max-age ramp, subdomain audit and preload submission - in the order they won't burn you.
Tool
CSP Checker
Validate your CSP in one scan - catches the mistakes linters miss.
Tool
Cookie Security Checker
Audit every Set-Cookie on the page - the flags that matter, in one scan.
Tool
DNSSEC Checker
Follow the chain of trust from the root down to your zone.