HSTS / preload check

Verify your Strict-Transport-Security header and preload eligibility.

Create a free SJ Monitor account to watch your site's uptime and SSL around the clock and get alerted the moment it goes down. Start free →

The HSTS check examines a site's Strict-Transport-Security response header to confirm browsers are told to connect over HTTPS only. It reports the max-age duration, whether subdomains are included, and whether the preload directive is present and the domain qualifies for the browser preload list. A solid configuration defends against protocol-downgrade and cookie-hijacking attacks by removing the insecure first request. Header settings can be lost in a deploy, so it's worth re-checking after changes.

Frequently asked questions

What max-age should I use for HSTS?

Preload eligibility typically requires a max-age of at least one year, along with includeSubDomains and the preload directive. Shorter durations are safer to test with but do not qualify for the list.

What does the preload directive do?

It signals that you want the domain hardcoded into browsers' built-in HSTS lists, enforcing HTTPS even on a user's very first visit. Submission to the official preload list is a separate, irreversible step.

Why is HSTS worth it?

Without it, a user's first request can go over plain HTTP and be intercepted or downgraded. HSTS removes that window by forcing HTTPS from the browser side.

What does includeSubDomains do, and is it risky?

It extends the HTTPS-only rule to every subdomain, which is more secure but means any subdomain still served over HTTP will break. Confirm all subdomains support HTTPS before enabling it.

Can I undo HSTS once it's set?

For a normal header, yes — lower the max-age to 0 and browsers forget the rule as they revisit. Preload-list submission, however, is effectively permanent and slow to reverse, so test thoroughly before preloading.

Why is HSTS only honored over HTTPS?

Browsers ignore the header if it arrives over plain HTTP, since an attacker on the network could otherwise forge or strip it. The first secure connection is what establishes the policy.

More SSL/TLS & security tools tools

Certificate decoder CSR decoder Mixed content checker Security headers grade SSL certificate checker SSL chain checker TLS / cipher scan
All SSL/TLS & security tools tools → · Browse every tool →

Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.

Share this tool: X LinkedIn Facebook Reddit Email

We use essential cookies to run SJ Monitor (sign-in, security). See our privacy policy.