HSTS Checker — Strict-Transport-Security Parse & Grade

Without HSTS, browsers happily downgrade to HTTP when users type http:// or when active network attackers strip TLS. Strict-Transport-Security caches an HTTPS-only directive for max-age seconds. includeSubDomains extends protection to all subdomains — critical before preload submission. preload signals intent for inclusion in browser hardcoded preload lists shipped with Chrome, Firefox, and others.

Our checker validates that your live response header matches operational intent — not just that HSTS appears somewhere in documentation.

max-age is required for valid HSTS. Zero or missing max-age means browsers ignore the policy. Values under 86400 seconds — one day — generate issues as too short for meaningful protection. Preload programs recommend at least 31536000 seconds — one year — documented in issues when shorter.

maxAgeDays converts seconds for human-readable runbooks. Operations teams track certificate renewal against max-age to avoid expiry windows where cached HSTS outlives cert validity.

includeSubDomains applies HSTS to all subdomains. Omitting it when admin.example.com still serves HTTP leaves downgrade paths for attackers targeting subdomains. preload requires includeSubDomains — our parser flags preload token without includeSubDomains as an issue.

Verify every subdomain supports HTTPS before enabling includeSubDomains — one HTTP-only legacy app breaks user access for the entire subtree.

The preload directive in your header expresses opt-in to browser preload programs. Actual preload requires meeting eligibility rules and successful submission to hstspreload.org. This HSTS checker confirms header syntax preconditions — not registry membership.

Use hsts-preload-checker to query preload list status and eligibility checklist. Submit only after grade A configuration stable for weeks.

Grade A: valid max-age at least one year with includeSubDomains and preload tokens — ready for preload consideration. Grade B: valid max-age at least one year with includeSubDomains without preload. Grade C: valid max-age at least one day meeting minimal HSTS. Grade F: absent, zero max-age, or invalid configuration.

Grades align with common deployment tiers — adjust internal policies to require B minimum on production customer-facing hosts.

Security headers checker awards twenty-five points for any Strict-Transport-Security presence without parsing max-age minimums. HSTS checker evaluates duration, subdomain coverage, and preload readiness in depth.

Executive dashboards can use composite scores. Engineering remediation uses this dedicated parse output.

We follow redirects from http:// submissions to final HTTPS responses. HSTS must appear on the HTTPS response users ultimately receive. Some sites emit HSTS only after redirect — ensure the final hop includes the header.

Test both apex and www variants — HSTS is hostname-specific unless includeSubDomains and matching cert SANs cover all names.

preload without includeSubDomains causes preload submission rejection. max-age under one year fails preload eligibility while still providing short-term HSTS for returning visitors. Duplicate or malformed headers may confuse parsers — issues array surfaces zero max-age cases.

Staging environments accidentally copying preload token without staging HTTPS on all subdomains cause outage risk — use separate hostnames for staging without preload.

Browsers cache HSTS independently of certificate renewals. Expired certificates on HSTS hosts trap users in error loops until max-age expires or users manually clear HSTS state — painful on long max-age production configs.

Pair with ssl-tls-grade-checker for certificate expiry monitoring alongside HSTS policy review.

Fetches public URLs you authorize. Results reflect one response path at query time. Do not use repeated automated probing against third-party sites without permission.

HSTS headers are public information visible to any client connecting to your site.