GitHub|Since 2007
WPTR
Security Analysis Tool

HSTS Checker

Verify your website's HTTP Strict Transport Security configuration. Check for preload eligibility and get actionable security recommendations.

Header
HSTS
Certificate
SSL/TLS
Check
Preload
Tool
Free

Understanding HSTS Security

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

01What is HSTS?

HSTS is an HTTP response header that tells browsers to only access your site using HTTPS for a specified period. Once a browser receives this header, any attempt to access the site via HTTP will automatically be converted to HTTPS before the request is made.

This prevents attackers from intercepting the initial HTTP request and redirecting users to malicious sites.

Read the MDN documentation

02Why is HSTS Critical?

Without HSTS, even if your site has HTTPS, users can still be tricked into connecting via HTTP first. Attackers can intercept this moment to perform SSL stripping attacks, where they maintain an encrypted connection with your server while serving the user an unencrypted version.

HSTS Directives Explained

max-age

Specifies how long (in seconds) the browser should remember that the site must only be accessed via HTTPS. Recommended: 31536000 (1 year) or more.

includeSubDomains

When present, the HSTS policy applies to all subdomains of the host. Essential for full domain protection.

preload

Indicates consent to be included in browser preload lists. Once preloaded, HSTS is enforced even on the first visit.

80-100
Excellent

HSTS enabled with max-age ≥1 year, includeSubDomains, and preload directive. Maximum protection.

50-79
Needs Work

HSTS enabled but missing key directives or max-age is too short. Partial protection.

0-49
Vulnerable

HSTS not enabled or severely misconfigured. Site is vulnerable to downgrade attacks.

Why HSTS Matters

Prevents SSL Stripping

Attackers cannot intercept the initial HTTP request and downgrade the connection.

Cookie Protection

Session cookies cannot be stolen via unencrypted connections.

User Trust

Guarantees users always see the padlock icon indicating a secure connection.

SEO Benefits

Search engines favor secure sites. HSTS ensures consistent HTTPS access.

Attacks HSTS Prevents

SSL Stripping

Man-in-the-middle attack that downgrades HTTPS to HTTP, allowing traffic interception.

Session Hijacking

Stealing session cookies transmitted over unencrypted HTTP connections.

DNS Spoofing

Combined with preload, even fake DNS responses can't force HTTP connections.

Protocol Downgrade

Forcing browsers to use weaker, vulnerable versions of TLS/SSL protocols.

Explore More Security Tools

Check out our comprehensive suite of website analysis and security testing tools.

View All Tools