Free Tool

Free HSTS (Strict-Transport-Security) Checker

Check whether a website enforces HTTPS with HSTS, and whether its max-age, includeSubDomains, and preload settings are configured correctly.

Free and instant. No account or signup needed.

What HSTS does and why it matters

HSTS, short for HTTP Strict Transport Security, is a response header that tells a browser to only ever talk to a site over HTTPS. The site sends Strict-Transport-Security once, the browser remembers it, and from then on every request to that site is upgraded to a secure connection before it ever leaves the device. It is one of the simplest ways to make sure visitors are never quietly downgraded to an unencrypted link.

The problem HSTS solves is the very first request. When someone types your bare domain, the browser has no memory of your site requiring HTTPS, so that first hop can go out over plain HTTP. An attacker sitting on the same network can intercept or redirect it before any redirect to HTTPS kicks in. Once the browser has seen your HSTS header, that gap closes for every later visit, and the preload list closes it even on the first.

Reading max-age, includeSubDomains, and preload

Three settings decide how strong your policy is. max-age is how long, in seconds, the browser should keep enforcing HTTPS, and you want it at one year or more, which is 31536000 seconds. includeSubDomains stretches the rule to cover every subdomain rather than just the exact host. preload asks browsers to ship your domain in their built in HTTPS only list so even a brand new visitor is protected. Each one tightens coverage, and each one assumes the part of your site it covers already works over HTTPS.

Rolling out HSTS safely

Because browsers honor HSTS strictly, a mistake can make a subdomain unreachable until the policy expires. Roll it out in steps. Start with a short max-age and no includeSubDomains, confirm nothing breaks, then raise max-age toward a year, then add includeSubDomains once every subdomain serves HTTPS, and only submit for preload at the end. When you are ready to build the header, the free HSTS generator produces a safe Strict-Transport-Security value you can copy into your server, and the what is HSTS guide walks through the details.

Frequently asked questions

What is an HSTS checker?

An HSTS checker inspects the Strict-Transport-Security header a website returns, then tells you whether the site forces browsers to use HTTPS and whether its max-age, includeSubDomains, and preload settings are strong enough. SiteSecurityScore checks this live by scanning the URL you enter.

What is the first request vulnerability HSTS fixes?

Before a browser has seen an HSTS header, it does not know the site requires HTTPS, so a user who types the bare domain can send that very first request over plain HTTP. An attacker on the network can intercept or downgrade it. HSTS tells the browser to remember the site as HTTPS only, closing that window on every visit after the first.

How long should HSTS max-age be?

Use at least one year, which is 31536000 seconds. A short max-age means the browser forgets the rule quickly and the site falls back to being downgradeable. One year is also the minimum required to qualify for the browser preload list.

What do includeSubDomains and preload do?

includeSubDomains extends the HTTPS only rule to every subdomain, not just the exact host that sent the header. preload signals that the site wants to be hard coded into browsers as HTTPS only, which removes even the first request risk. Only enable them once every subdomain reliably serves HTTPS.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the Strict-Transport-Security header, and reports what it found in seconds. No account or signup is required.

Related tools

HSTS GeneratorSSL/TLS Handshake CheckerWhat is HSTS guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan