HSTS Preload Checker — Preload List Status
Query official HSTS preload list status and eligibility fields for a domain
How to Use This Tool
- Enter domain name — example.com without scheme or path.
- We validate domain format and normalize hostname.
- Server queries the public HSTS preload list API v2 status endpoint.
- Response fields populate domain status, eligibility flags, and header requirements.
- API failures return unknown status with error message for retry guidance.
About This Tool
HTTP Strict Transport Security with preload instructs browsers to always use HTTPS for your domain and optionally submits the domain to browser preload lists baked into releases. VSPIC HSTS preload checker queries the public preload list API for your domain and returns status, eligibility, max-age, includeSubDomains, and preload directive fields.
Enter a registrable domain without path. Results merge API JSON with source attribution. When the API is unreachable, status unknown returns with error context rather than silent failure.
Common use cases
- •Measure download and upload speed
- •Test open ports on a home router or server
- •Trace routing paths to diagnose latency
What HSTS preload achieves
First-time visitors lack HSTS memory — attackers could strip TLS on initial HTTP request. Preloaded domains ship in browser source lists forcing HTTPS before any network contact, closing that gap for enrolled hostnames.
Preload is irreversible for months — mistaken inclusion strands users if HTTPS misconfigured. Check status before submission and after deployment.
Official preload list API
Browsers aggregate submissions into canonical preload list distributed with updates. The hstspreload.org API exposes machine-readable status our checker queries live — not a cached unofficial mirror.
Source field in results confirms data provenance for audit documentation.
Eligibility requirements overview
Domains need valid HTTPS, HSTS header with sufficient max-age, includeSubDomains directive, and preload directive on HTTPS responses. Redirect chains must satisfy policy checks defined by preload maintainers.
Eligibility false in API response points to specific remediation — inspect max-age, subdomain coverage, and redirect correctness on live site.
includeSubDomains implications
When true, every subdomain must serve valid HTTPS — dev stubs on http://test.example.com block preload approval. Plan wildcard certificates or ACME automation before enabling.
Preload versus on-site HSTS only
On-site HSTS protects repeat visitors after first successful HTTPS visit. Preload protects first visit globally. Many compliance frameworks now expect preload for public-facing properties handling sensitive data.
Checking status after submission
Approval takes weeks as browsers integrate list updates. Periodic checks track progression from pending to preloaded or rejected with reasons via API fields.
Common rejection causes
Insufficient max-age below policy threshold, missing preload token in header, HTTP redirect loops, or subdomain serving mixed content. Fix live headers then resubmit through official portal — our checker validates current list state not submission workflow.
Relationship to SSL checker
Certificate validity underpins preload eligibility. Run SSL grade checker alongside preload status when rotating certificates before expiry.
Security headers synergy
HSTS complements Content-Security-Policy and Referrer-Policy. Security headers checker scores broader posture while this tool focuses preload list membership specifically.
Limitations
We read list status only — we do not submit domains to preload program. Submission remains manual through maintainer website with email verification steps.
Frequently Asked Questions
Yes. VSPIC offers this HSTS preload checker at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It read-only queries current preload list status.
The public hstspreload.org v2 status API.
Enter the apex domain. includeSubDomains in results shows whether subdomains are covered by preload entry.
API may be temporarily unreachable. Retry later; error text appears in results.
No. Removal from browser preload lists takes months. Plan carefully before enrolling.
Primary data comes from preload API. Live header inspection is separate — use security headers checker.
Next step for your check
Continue with security headers checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Security Headers Checker
HSTS, CSP grade A–F, per-header score, full header map
Use Free →SSL/TLS Grade Checker
SSL grade, protocol support, cipher analysis, and expiry
Use Free →SSL Checker
Validate SSL/TLS certificates and expiration dates
Use Free →Speed Test
Measure download, upload, ping, and jitter for your connection
Use Free →Ping Test
Measure latency to any hostname or IP address
Use Free →Port Checker
Test if common ports are open on a host
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS