HSTS Checker

Verify your website's HSTS configuration including max-age, includeSubDomains, and preload directives. Ensure your site enforces HTTPS connections and is protected against downgrade attacks.

What We Check

HSTS header detection

max-age value verification

includeSubDomains directive check

Preload eligibility assessment

HTTP-to-HTTPS redirect validation

Certificate chain verification

How It Works

Enter your website URL

We check the HTTP response for Strict-Transport-Security header

HSTS directives (max-age, includeSubDomains, preload) are validated

HTTP-to-HTTPS redirect chain is tested

You receive a report with HSTS configuration recommendations

Security Checks Included

This tool runs the following security checks on your website

HSTS enabled HTTP to HTTPS Redirect HTTPS enabled TLS Version Certificate Expiry Certificate Hostname & Chain

Frequently Asked Questions

What is HSTS?

HSTS (HTTP Strict Transport Security) is a security header that tells browsers to always use HTTPS when connecting to your site. It prevents SSL stripping attacks and insecure HTTP connections.

What max-age should I use for HSTS?

Start with a short max-age (e.g., 300 seconds) for testing. Once confirmed working, increase to at least 31536000 (1 year). For HSTS preload submission, you need a minimum of 1 year.

What is HSTS preloading?

HSTS preloading is a mechanism where your domain is hardcoded into browsers' HSTS lists. This ensures HTTPS is enforced from the very first visit, before any HTTP response is received.

Should I use includeSubDomains?

Yes, if all your subdomains support HTTPS. The includeSubDomains directive ensures HSTS applies to all subdomains, preventing attackers from using insecure subdomains to set cookies.

Ready to Check Your Website?

Run a free security scan now and get instant results with actionable fix recommendations.