HSTS forces the browser to always use HTTPS and stops downgrade attacks. We check your HSTS header — max-age, includeSubDomains and preload.
Run a free domain scan All checks →We check that your Strict-Transport-Security header exists, has a long enough max-age (at least a year), covers subdomains with includeSubDomains, and whether the domain is preload-eligible.
Without HSTS, an attacker on the network can force a user back to unencrypted HTTP and eavesdrop or tamper on the first visit. HSTS is one of the simplest and most effective security headers.
Strict-Transport-Security from your endpointmax-age against the recommended ≥ 31536000 (1 year)includeSubDomainsmax-age (e.g. a few hours) — almost no effectincludeSubDomains → subdomains unprotectedCan HSTS lock me out?
If you set includeSubDomains or preload while not ALL subdomains run HTTPS, they can become unreachable. We flag that risk before you enable it.
What is preload?
A list built into browsers where HSTS applies from the very first visit. Requires max-age ≥ 1 year, includeSubDomains and preload in the header.
Does the check affect the site?
No — we only read response headers passively.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan