Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
← Back to Blog
TLSFebruary 13, 20268 min read

HSTS Preload: Force HTTPS for Every Visitor from the First Connection

HSTS Preload ensures browsers always use HTTPS, eliminating the first-visit vulnerability. Learn how to qualify and submit your domain.

By SecScanner Team
HSTS Preload: Force HTTPS for Every Visitor from the First Connection

HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for your domain. But standard HSTS has a weakness: the very first visit to your site still happens over HTTP before the browser receives the HSTS header. HSTS Preload eliminates this gap by hardcoding your domain into the browser's built-in list of HTTPS-only sites.

The First-Visit Problem

When a user types example.com in their browser, the first request goes to http://example.com. Your server redirects to HTTPS and sends the HSTS header. But that initial HTTP request is vulnerable to a man-in-the-middle attack — the attacker can intercept the redirect and serve a fake HTTP version of your site.

This is called an SSL stripping attack, and HSTS alone cannot prevent it on the first visit.

What Is HSTS Preload?

HSTS Preload is a list maintained by the Chromium project (and adopted by Firefox, Safari, Edge, and other browsers) that contains domains that should always be loaded over HTTPS. When your domain is on this list, browsers will never make an HTTP request to it — not even on the first visit.

Requirements for HSTS Preload

Your domain must meet all of these requirements to be accepted into the preload list:

  1. Valid HTTPS certificate — Your site must serve a valid, non-expired TLS certificate
  2. HTTP to HTTPS redirect — All HTTP traffic must redirect to HTTPS
  3. HSTS header on HTTPS — The Strict-Transport-Security header must be present on HTTPS responses
  4. max-age at least 31536000 — The HSTS max-age must be at least one year (31536000 seconds)
  5. includeSubDomains directive — The header must include the includeSubDomains directive
  6. preload directive — The header must include the preload directive
  7. All subdomains must support HTTPS — Every subdomain must be accessible over HTTPS

The Required Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Step-by-Step Preload Submission

Step 1: Prepare Your Infrastructure

Before submitting, ensure every subdomain supports HTTPS. The includeSubDomains directive means ALL subdomains are affected — including staging, internal, and legacy subdomains.

Step 2: Deploy the HSTS Header Gradually

Start with a short max-age to test:

# Start with 5 minutes
Strict-Transport-Security: max-age=300; includeSubDomains

# Increase to 1 week
Strict-Transport-Security: max-age=604800; includeSubDomains

# Increase to 1 month
Strict-Transport-Security: max-age=2592000; includeSubDomains

# Final: 1 year with preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Step 3: Submit to the Preload List

Visit hstspreload.org and enter your domain. The tool checks all requirements and submits your domain for inclusion in the Chromium source code.

Step 4: Wait for Browser Updates

After submission, it takes several weeks to months for your domain to appear in browser releases. The preload list is updated with each browser version.

Server Configuration Examples

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Cloudflare: Enable HSTS in the SSL/TLS settings with preload enabled.

Important Warnings

  • Removal is slow: Getting removed from the preload list can take months. Only submit when you're confident all subdomains support HTTPS permanently.
  • includeSubDomains is mandatory: This affects ALL subdomains. Ensure they all have valid certificates.
  • No HTTP fallback: Once preloaded, users cannot access your site over HTTP. There is no override.
  • Third-party subdomains: If you use services like mail.example.com or blog.example.com hosted by third parties, verify they support HTTPS.

Checking Your HSTS Preload Status

  1. Visit hstspreload.org and enter your domain
  2. Check Chrome's internal preload list at chrome://net-internals/#hsts
  3. Run a SecScanner scan — the HSTS Preload Readiness check verifies all requirements

HSTS Preload Checklist

  • Verify all subdomains support HTTPS with valid certificates
  • Set up HTTP to HTTPS redirects on all subdomains
  • Deploy HSTS header with max-age=31536000
  • Include the includeSubDomains directive
  • Include the preload directive
  • Test with hstspreload.org eligibility checker
  • Submit your domain for preload inclusion
  • Monitor with SecScanner to ensure header stays correctly configured

HSTS Preload is the strongest protection against protocol downgrade attacks. Once your domain is on the list, every modern browser will enforce HTTPS from the very first connection — no exceptions.

Related Articles

TLS

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

8 min read

TLS

Mixed Content: How to Find and Fix Insecure Resources on HTTPS Sites

8 min read

Headers

The Complete Guide to HTTP Security Headers

10 min read

Check Your Website Security

Want to see how your website measures up? Run a free security scan with SecScanner to identify vulnerabilities and get actionable remediation guidance.

Scan Your Website Free
SSL CheckerTLS Security Checks

On This Page

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.