ToolBelt

HSTS Preload Eligibility

Check whether a Strict-Transport-Security header meets the preload-list criteria.

Open tool

Overview

The HSTS Preload Eligibility checker parses a Strict-Transport-Security header value and reports whether it satisfies every requirement to be accepted into the Chromium HSTS preload list — a max-age of at least one year (31536000 seconds), includeSubDomains, the preload token, and the implication that you serve HTTPS on every subdomain.

Useful for security engineers and devops learning how to qualify for the HSTS preload list or how to fix HSTS header to be preload-eligible. The preload list is shipped in every Chromium-based browser plus Firefox and Safari, so a properly preloaded domain is unattackable by SSL-stripping the very first visit.

How it works

RFC 6797 defines HSTS as a response header (Strict-Transport-Security) that pins a browser to HTTPS for the supplied max-age. Chromium's preload requirements layer extra constraints: max-age must be at least 31536000 seconds (1 year, with 2 years now recommended), the includeSubDomains directive must be present so wildcard certificates carry, and the preload token must be explicit to signal author consent.

The checker tokenises the header, normalises the directives, and reports each requirement as pass/fail with a remediation hint. It also flags directive order and unknown directives that the IETF spec ignores but proxies may mishandle.

Examples

  • max-age=63072000; includeSubDomains; preload → all checks pass.
  • max-age=86400; preload → fails: max-age below 1 year, missing includeSubDomains.
  • max-age=31536000; includeSubDomains → fails: missing preload token.
  • max-age=31536000; preload; includeSubDomains; → passes; trailing semicolon is tolerated.

FAQ

Is preload reversible?

Removal from the preload list takes months — clients only refresh from baked-in browser data on release cycles. Never preload until you are fully committed to HTTPS-only across every subdomain.

Do I need to submit my domain manually?

Yes. The header alone signals consent; you also submit at hstspreload.org for inclusion in Chromium's baked-in list.

What if a subdomain still uses HTTP?

That subdomain becomes unreachable for preloaded clients. Audit every subdomain (mail, api, dev) and confirm valid HTTPS before submitting.

Does HSTS protect the very first visit?

Only if your domain is preloaded. Without preload, the browser learns HSTS only after the first successful HTTPS response, leaving the first request vulnerable to stripping.

Try HSTS Preload Eligibility

An unhandled error has occurred. Reload ×