Home/HSTS Preload Checker
[ W.3 — HSTS ]

HSTS
Preload Checker.

Check whether a domain enforces HTTPS via HSTS and whether it qualifies for the browser preload list.

Last reviewed: May 2026

// domain
Try: google.com github.com cloudflare.com example.com

Audit your full security header set.

Check all security headers →
W.2

HTTP Security Headers

Full security-headers grader — CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, all of it.
W.1

SSL Certificate Inspector

Inspect the TLS certificate, chain, expiry, and cipher suite for any domain.

What is HSTS?

HTTP Strict Transport Security (RFC 6797) is a response header that tells a browser to only talk to a given host over HTTPS. Once a browser has seen Strict-Transport-Security from a site, it refuses any plain HTTP request to that host for the duration the header specifies — even if the user types http:// in the address bar, even if a link points at http://, the browser silently upgrades or refuses.

The whole point is to close the "first-request" gap. Without HSTS, a man-in-the-middle on a hostile network (open Wi-Fi, malicious ISP, attacker on the same wire) can intercept the very first HTTP request to a site and serve a downgraded version that never upgrades to HTTPS. With HSTS, the first request is the only window — and the preload list closes that window too.

What is the preload list?

The preload list is a hardcoded list of domains, shipped with Chrome (and consumed by Firefox, Safari, Edge, Opera, Brave) for which the browser pretends it has already seen the HSTS header — even on the literal first visit. No first-request gap, no opportunity for an attacker to inject a downgrade.

It's the strictest form of HTTPS enforcement available. Big sites are on it: google.com, github.com, cloudflare.com, paypal.com, every TLD that runs banking or auth services in serious volume. Smaller sites are eligible if they meet the requirements below.

Preload requirements

To submit a domain at hstspreload.org, the apex (and every subdomain it covers) must satisfy all of:

  • Valid HTTPS — publicly-trusted TLS certificate, no name mismatches, no expired chain.
  • HTTP → HTTPS redirect on the same host (not just a redirect to www.).
  • max-age ≥ 31536000 (one year) in the HSTS header.
  • includeSubDomains directive present.
  • preload directive present — this is the explicit opt-in.
  • Every subdomain (including dev / staging / internal) must serve HTTPS or be removed before submission.

The checker above queries the live hstspreload.org status API to tell you whether the domain is currently preloaded (in the list), pending (submitted but not yet shipped), or unknown (not in the list).

Important warning before submitting

Getting off the preload list takes months. The list updates ship with new Chrome stable releases (roughly every four weeks), and Chrome stays in circulation for years after that. If you submit a domain and then realise a subdomain doesn't support HTTPS — internal docs, an old marketing landing page, a forgotten staging environment — those subdomains will be unreachable for every visitor whose Chrome has the preload entry baked in. For a year. Possibly longer.

Run a full subdomain audit before submitting. The Certificate Transparency search is useful here — every subdomain that ever appeared on a publicly trusted certificate will show up, and if any of them are still in service over HTTP, they're a problem.

HSTS vs an HTTPS redirect

These do different things. An HTTPS redirect lives in your server config: an HTTP request lands, the server returns 301 → https://..., the browser follows. Anyone watching the wire can see the original HTTP request and a man-in-the-middle can rewrite the redirect target.

HSTS lives in the browser. After the first successful HTTPS response, the browser refuses HTTP outright — no request to intercept, no redirect to rewrite. HSTS is the strictly stronger version. You want both: the redirect handles the very first visit (and visitors with old or non-HSTS browsers); HSTS handles every visit after that.

Common configurations

  • HSTS without preloadStrict-Transport-Security: max-age=63072000; includeSubDomains. Browsers enforce HTTPS for two years after the first visit. Use this if you want HSTS now but aren't ready to commit to preload.
  • HSTS with preload — add the preload directive and submit at hstspreload.org. The directive alone doesn't add you to the list; submission is the explicit opt-in.
  • Phase-in HSTS — start with a short max-age (say, an hour: max-age=3600), watch nothing break for a week, raise to a day, then a month, then the year required for preload. Rolling back from max-age=31536000 is hard.

What this checker doesn't catch

  • Subdomain HTTPS coverage — we read the header at the apex but can't enumerate every subdomain of an arbitrary host. The preload list checker at hstspreload.org runs that audit; submission gets rejected if any subdomain fails.
  • HTTP → HTTPS redirect compliance — Cloudflare Workers don't open arbitrary HTTP connections cheaply, and we don't pretend to. hstspreload.org verifies this for you at submission time.
  • Cert chain validity beyond "responds over HTTPS" — for a deeper inspection of the TLS handshake, chain, and cipher suite, use the SSL inspector.