WEB-02 / WEBSITE SECURITY
HSTS Checker
Check a website's HTTP Strict Transport Security policy, which forces browsers to connect over HTTPS and blocks downgrade attacks.
About the HSTS Checker
HSTS tells browsers to only ever connect to your site over HTTPS, even if a user types http:// or clicks an insecure link. It closes the window for downgrade and cookie-hijacking attacks. This tool checks a site's HSTS policy and its strength.
What this tool checks
It reads the Strict-Transport-Security header and reports the max-age duration, whether includeSubDomains is set, and whether the domain is flagged for preloading.
Reading the policy
A strong policy has a max-age of at least six months, includeSubDomains to cover every subdomain, and optionally preload for inclusion in browsers' built-in HSTS lists.
Frequently asked questions
What is HSTS?
HTTP Strict Transport Security is a header that forces browsers to use HTTPS for your site, preventing downgrade attacks and blocking insecure connections entirely.
What is a good HSTS max-age?
At least 15552000 seconds (six months), and often a year or more. A longer max-age means browsers remember to enforce HTTPS for that duration.
What does HSTS preload do?
Preloading adds your domain to a list built into browsers, so HTTPS is enforced even on a user's very first visit. It requires includeSubDomains and a long max-age.