Security check

HSTS check: shut the door on HTTPS downgrade

HSTS forces the browser to always use HTTPS and stops downgrade attacks. We check your HSTS header — max-age, includeSubDomains and preload.

Run a free domain scan All checks →
Relates to: NIS2 · art. 21 — operational security ISO 27001 · A.8.9 / A.8.24 OWASP · Secure Headers

What we check

We check that your Strict-Transport-Security header exists, has a long enough max-age (at least a year), covers subdomains with includeSubDomains, and whether the domain is preload-eligible.

Why it matters

Without HSTS, an attacker on the network can force a user back to unencrypted HTTP and eavesdrop or tamper on the first visit. HSTS is one of the simplest and most effective security headers.

How Security Guru tests it

Common mistakes

  • Short max-age (e.g. a few hours) — almost no effect
  • Missing includeSubDomains → subdomains unprotected
  • HSTS set but the site still answers on HTTP with no redirect
  • Preload specified but the domain not submitted to the preload list

What you get in the report

  • HSTS status with the exact header value
  • Whether max-age, includeSubDomains and preload are correct
  • Recommended header value to set
  • Other transport-security gaps (e.g. missing HTTP→HTTPS redirect)

FAQ

Can HSTS lock me out?

If you set includeSubDomains or preload while not ALL subdomains run HTTPS, they can become unreachable. We flag that risk before you enable it.

What is preload?

A list built into browsers where HSTS applies from the very first visit. Requires max-age ≥ 1 year, includeSubDomains and preload in the header.

Does the check affect the site?

No — we only read response headers passively.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan