Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started

HSTS Checker

Free online HSTS checker. Scan any website to verify Strict-Transport-Security header configuration, check max-age value, includeSubDomains directive, preload eligibility, and HTTP-to-HTTPS redirect chain. Get instant HSTS analysis with specific fix recommendations.

No https:// needed · Free · No credit card

What We Check

HSTS header detection
max-age value verification
includeSubDomains directive check
Preload eligibility assessment
HTTP-to-HTTPS redirect validation
Certificate chain verification

How It Works

1

Enter your website URL

2

We check the HTTP response for Strict-Transport-Security header

3

HSTS directives (max-age, includeSubDomains, preload) are validated

4

HTTP-to-HTTPS redirect chain is tested

5

You receive a report with HSTS configuration recommendations

Security Checks Included

This tool runs the following security checks on your website

HSTS enabledHTTP to HTTPS RedirectHTTPS enabledTLS VersionCertificate ExpiryCertificate Hostname & Chain

Frequently Asked Questions

What is an HSTS checker?
An HSTS checker is a free online tool that fetches your website and analyzes the Strict-Transport-Security (HSTS) header. It verifies the max-age value, checks for the includeSubDomains and preload directives, and validates the HTTP-to-HTTPS redirect chain — then provides specific fix recommendations.
How do I test my HSTS configuration?
Enter your website URL in the HSTS checker above. We'll check your Strict-Transport-Security header, validate all directives, test your redirect chain, and tell you exactly what needs to change to achieve proper HSTS protection.
What is HSTS?
HSTS (HTTP Strict Transport Security) is a security header that tells browsers to always use HTTPS when connecting to your site. It prevents SSL stripping attacks where attackers intercept HTTP connections before they redirect to HTTPS.
What max-age should I use for HSTS?
Start with a short max-age (e.g., 300 seconds) for testing. Once confirmed working, increase to at least 31536000 (1 year). For HSTS preload submission, you need a minimum of 1 year with includeSubDomains.
What is HSTS preloading?
HSTS preloading hardcodes your domain into browsers' built-in HSTS lists. This ensures HTTPS is enforced from the very first visit — before any HTTP response is received — eliminating the window where the initial request could be intercepted.
Should I use includeSubDomains in HSTS?
Yes, if all your subdomains support HTTPS. The includeSubDomains directive ensures HSTS applies to all subdomains, preventing attackers from using insecure subdomains to set cookies that affect the parent domain.
Is this HSTS checker free?
Yes, our HSTS checker is completely free. It analyzes your HSTS configuration in detail and is part of SecScanner's free toolkit that also checks SSL, cookies, DNS, and 60+ other security configurations.

Ready to Check Your Website?

Run a free security scan now and get instant results with actionable fix recommendations.

No https:// needed · Free · No credit card

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.