Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
Security ChecksHSTS enabled
HeadersCritical PriorityFree

HSTS enabled

Updated June 2026·SecScanner Team

HTTP Strict Transport Security (HSTS) tells browsers to only access your site over HTTPS, preventing protocol downgrade attacks and cookie hijacking.

Why It Matters

Without HSTS, attackers can intercept the initial HTTP request before it redirects to HTTPS, enabling man-in-the-middle attacks. HSTS ensures browsers never make insecure requests to your domain.

How We Check

We verify the presence of the Strict-Transport-Security header and check for proper max-age value (minimum 1 year recommended), includeSubDomains directive, and preload eligibility.

How to Fix

Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Start with a short max-age and gradually increase it. Consider submitting to the HSTS preload list.

Frequently Asked Questions

What is HSTS (HTTP Strict Transport Security)?

HSTS is an HTTP response header (`Strict-Transport-Security`) that instructs browsers to always connect to your site over HTTPS — never HTTP — for a specified period (max-age). Once a browser receives this header, it will refuse to connect via HTTP even if a user types 'http://' in the address bar.

What max-age value should I use for HSTS?

Use at least `max-age=31536000` (1 year) for production sites. Start with `max-age=300` (5 minutes) while testing to avoid locking yourself out if HTTPS breaks. Increase gradually: 5 min → 1 hour → 1 day → 1 week → 1 year. For HSTS preload list eligibility, 1 year is the minimum.

What is HSTS preloading and should I use it?

HSTS preloading hardcodes your domain into browsers' built-in lists (Chrome, Firefox, Safari, Edge) so HTTPS is enforced from the very first visit — before any header is received. To qualify, set `max-age=31536000; includeSubDomains; preload` and submit at hstspreload.org. Warning: preloading is difficult to reverse — ensure all subdomains support HTTPS before submitting.

Should I use includeSubDomains in my HSTS header?

Use `includeSubDomains` only if all your subdomains support HTTPS. It extends HSTS protection to every subdomain, preventing attacks where an insecure subdomain is used to set cookies for the parent domain. If any subdomain doesn't have a valid HTTPS certificate, users won't be able to access it.

Does having an HTTPS redirect replace HSTS?

No. An HTTP→HTTPS redirect only protects users on their second visit onward if they remember to use HTTPS. The first HTTP request is still sent unencrypted and can be intercepted (SSL stripping). HSTS tells the browser to never send that first HTTP request at all.

Related Security Checks

TLS

HTTPS enabled

TLS

HTTP to HTTPS Redirect

TLS

TLS Version

Related Tool

SSL Checker

Run all 10 related checks with our free ssl checker

Check Your Website Now

Run a free security scan to check for HSTS enabled issues and 62+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.