Tool guide

HSTS Checker

An HSTS checker helps confirm whether your HTTPS site tells browsers to keep using HTTPS on future visits.

01

What HSTS Requires

Browsers only honor Strict-Transport-Security on a valid HTTPS response. Sending it over plain HTTP does not count.

Before using long max-age values, make sure the certificate is valid and HTTP redirects cleanly to the intended HTTPS host.

02

Reading The Header

A basic HSTS header includes max-age. Stronger policies may also include includeSubDomains and preload.

Use includeSubDomains only when every important subdomain is ready for HTTPS. Preload is powerful and harder to undo.

03

Safe Rollout

Start with a shorter max-age while you test. Increase it once HTTPS works reliably across the hosts users actually visit.

If old subdomains, staging hosts, or third-party services still rely on HTTP, fix those before adding includeSubDomains or preload.

Next
Check HSTS

Scan the final response for Strict-Transport-Security.

Check SSL first

Confirm HTTPS is healthy before enforcing it.

HSTS guide

Understand max-age, includeSubDomains, and preload.

FAQ

Common questions

What does an HSTS checker look for?

It checks whether the final HTTPS response includes the Strict-Transport-Security header and lets you inspect its directives.

Should every site use HSTS preload?

No. Preload should only be used when the whole domain and important subdomains are ready for HTTPS.

Can I remove HSTS immediately?

Not always. Browsers may cache a previous HSTS value until it expires.

Does HSTS fix an expired certificate?

No. Fix certificate problems before enabling or tightening HSTS.