HSTS Preload Checker

login

This tool is planned for a future release. Authentication and target-ownership verification will be required before it can be enabled.

This tool isn't available in the anonymous view. Sign in to access it.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is HSTS and what does the preload list add?

HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for a domain via the Strict-Transport-Security header. The preload list goes further — browsers ship with a hardcoded list of HSTS domains, so HTTPS is enforced even on the very first visit, before any header can be seen. This closes the TOFU (trust on first use) window.

What are the requirements to join the HSTS preload list?

Your domain must: (1) serve valid HTTPS on all subdomains, (2) serve an HSTS header with max-age ≥ 31536000, includeSubDomains, and the preload directive, (3) redirect HTTP to HTTPS. Submission is at hstspreload.org. Removal is intentionally difficult — only submit if you're committed to HTTPS on all subdomains permanently.

How long does preload list inclusion take?

After submitting at hstspreload.org, it typically takes 1–3 months to appear in Chrome/Firefox's shipped list. The list is updated with each browser release. Once included, removal takes just as long — preload should only be used for domains with a long-term HTTPS commitment.