HSTS Checker
This tool helps to verify whether a website sends the Strict-Transport-Security header correctly and confirm whether HSTS is enabled for stronger HTTPS security.
HSTS Protocol, Policy, and Implementation
HSTS stands for HTTP Strict Transport Security. It is a web security policy that tells browsers to connect to a site only through HTTPS and never through insecure HTTP after the policy has been received.
When a browser sees a valid HSTS header, it remembers that rule for the time defined in the policy. On the first load or visit, the browser enforces HTTPS, and after the initial visit, all future visits are automatically secured.
A typical HSTS policy is sent through the Strict-Transport-Security response header and may include:
- max-age: Tells the browser how long to remember the HSTS rule
- includeSubDomains (Optional): Applies the policy to all subdomains
- preload (Optional): Indicates that the domain may be submitted to browser preload lists
For example, a correct HSTS header configuration looks like this:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadProper HSTS implementation usually means:
- the site redirects all HTTP traffic to HTTPS
- the HTTPS version sends the correct HSTS header
- the certificate is valid
- all important subdomains are also secured if includeSubDomains is used
An HSTS header check helps confirm whether these rules are present and correctly configured.
Why do we need HSTS Checker?
HSTS checker can help you:
- verify if HSTS is enabled
- perform an HSTS header check quickly
- review whether the HSTS policy is configured correctly
- identify missing directives such as includeSubDomains or preload
- support security audits and HTTPS hardening efforts
- test and scan your site for HSTS implementation, highlight performance benefits such as reduced redirects, and ensure efficient encryption methods are in use
For developers, administrators, and security teams, HSTS testers/checkers are a simple way to validate that a site’s browser-side HTTPS enforcement is working as expected.
FAQs
HSTS protocol, also known as strict transport security HSTS, refers to HTTP Strict Transport Security, a browser security mechanism that forces secure HTTPS connections after a site sends the HSTS http header.
The HSTS http header enforces a secure connection by instructing web browsers to automatically upgrade all HTTP requests to HTTPS. HSTS is supported by most major browsers, including Chrome, Firefox, Safari, and Edge, ensuring widespread compatibility and reliability. This helps protect from protocol downgrade attacks and cookie hijacking.
HSTS meaning is HTTP Strict Transport Security. It is a policy that helps protect websites by instructing browsers to use HTTPS only. The advantage of enabling HSTS security
is that it helps protect users from attacks by on-path attackers, providing added value by ensuring all connections are securely upgraded to HTTPS.
You can use an HSTS Checker or online HSTS checker to test and scan your website for the presence of the Strict-Transport-Security header. These tools provide instant results after scanning your domain, showing detailed information about your site’s security configuration, such as HSTS directives, expiration date, subdomain inclusion, and preload status.
An HSTS checker can help you find and address issues with preload requirements or HTTPS support, ensuring your website is properly configured. Using a checker also helps ensure your website meets preload requirements for HSTS, which provides enhanced protection on initial visits.
An HSTS policy is the rule sent by a server through the HSTS header. It tells browsers how long to enforce HTTPS and whether the rule should also apply to subdomains.
The max-age directive in the HSTS header specifies the duration in seconds that the browser should remember to only use HTTPS for the site. The includesubdomains directive can be added to ensure that the security policy applies not only to the main domain but also to all its subdomains, enhancing security coverage. To implement HSTS correctly, you must serve the HSTS header on the base domain over HTTPS.
To be included in the HSTS preload list, you must set the max-age directive to at least 31536000 seconds (1 year) and serve a valid HTTPS certificate on all subdomains.
HSTS implementation is the process of configuring a website to send the correct HSTS header over HTTPS so browsers automatically enforce secure connections on future visits.
Website owners are responsible for ensuring that all domains and subdomains support HTTPS before submitting their site to the HSTS preload list. Once a domain is added to the preload list, it is a permanent commitment and not easily reversed, removal is possible but slow and requires meeting strict conditions to ensure continued security. Owners should carefully follow the deployment steps, enable HTTPS, set a short max-age value, and gradually increase it as you confirm stability, ensuring all settings are correct before preloading.