HSTS Checker - Test HSTS Header & Policy Settings
Instantly analyze your Strict-Transport-Security configuration. Correct enforcement reduces connection latency by enforcing HTTPS at the browser level, cutting out server-side redirect hops..
HSTS Protocol, Policy, and Implementation
HSTS stands for HTTP Strict Transport Security. It is a powerful security policy that forces browsers to interact with your website exclusively over secure HTTPS. Once a browser receives the HSTS header, it automatically upgrades every future connection attempt from insecure HTTP to encrypted HTTPS before the request even leaves the user's device.
How HSTS Boosts Page Load Speed
While primarily a security feature, HSTS is a secret weapon for web performance. Without HSTS, a user typing example.com often hits an insecure URL first, waits for a server-side redirect (301/302), and only then connects via HTTPS.
- Eliminating Redirect Hops: The browser performs an internal redirect. This removes the round-trip latency (RTT) required for the server to tell the browser "please use HTTPS."
- Reducing Latency: By bypassing the initial HTTP request, you save valuable milliseconds on the Time to First Byte (TTFB), especially on high-latency mobile networks.
- Preventing "Protocol Downgrade" Attacks: It ensures that performance optimizations (like HTTP/2 or HTTP/3, which require TLS) are always utilized.
HSTS Policy Implementation
A typical HSTS policy is sent through the Strict-Transport-Security response header and may include:
- max-age: Tells the browser how long to remember the HSTS rule
- includeSubDomains (Optional): Applies the policy to all subdomains
- preload (Optional): Indicates that the domain may be submitted to browser preload lists
For example, a correct HSTS header configuration looks like this:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadProper HSTS implementation usually means:
- the site redirects all HTTP traffic to HTTPS
- the HTTPS version sends the correct HSTS header
- the certificate is valid
- all important subdomains are also secured if includeSubDomains is used
An HSTS header check helps confirm whether these rules are present and correctly configured.
Why do we need HSTS Checker?
HSTS checker can help you:
- verify if HSTS is enabled
- perform an HSTS header check quickly
- review whether the HSTS policy is configured correctly
- identify missing directives such as includeSubDomains or preload
- support security audits and HTTPS hardening efforts
- test and scan your site for HSTS implementation, highlight performance benefits such as reduced redirects, and ensure efficient encryption methods are in use
For developers, administrators, and security teams, HSTS testers/checkers are a simple way to validate that a site’s browser-side HTTPS enforcement is working as expected.
FAQs
HSTS protocol, also known as strict transport security HSTS, refers to HTTP Strict Transport Security, a browser security mechanism that forces secure HTTPS connections after a site sends the HSTS http header.
The HSTS http header enforces a secure connection by instructing web browsers to automatically upgrade all HTTP requests to HTTPS. HSTS is supported by most major browsers, including Chrome, Firefox, Safari, and Edge, ensuring widespread compatibility and reliability. This helps protect from protocol downgrade attacks and cookie hijacking.
HSTS meaning is HTTP Strict Transport Security. It is a policy that helps protect websites by instructing browsers to use HTTPS only. The advantage of enabling HSTS security
is that it helps protect users from attacks by on-path attackers, providing added value by ensuring all connections are securely upgraded to HTTPS.
You can use an HSTS Checker or online HSTS checker to test and scan your website for the presence of the Strict-Transport-Security header. These tools provide instant results after scanning your domain, showing detailed information about your site’s security configuration, such as HSTS directives, expiration date, subdomain inclusion, and preload status.
An HSTS checker can help you find and address issues with preload requirements or HTTPS support, ensuring your website is properly configured. Using a checker also helps ensure your website meets preload requirements for HSTS, which provides enhanced protection on initial visits.
An HSTS policy is the rule sent by a server through the HSTS header. It tells browsers how long to enforce HTTPS and whether the rule should also apply to subdomains.
The max-age directive in the HSTS header specifies the duration in seconds that the browser should remember to only use HTTPS for the site. The includesubdomains directive can be added to ensure that the security policy applies not only to the main domain but also to all its subdomains, enhancing security coverage. To implement HSTS correctly, you must serve the HSTS header on the base domain over HTTPS.
To be included in the HSTS preload list, you must set the max-age directive to at least 31536000 seconds (1 year) and serve a valid HTTPS certificate on all subdomains.
HSTS implementation is the process of configuring a website to send the correct HSTS header over HTTPS so browsers automatically enforce secure connections on future visits.
Website owners are responsible for ensuring that all domains and subdomains support HTTPS before submitting their site to the HSTS preload list. Once a domain is added to the preload list, it is a permanent commitment and not easily reversed, removal is possible but slow and requires meeting strict conditions to ensure continued security. Owners should carefully follow the deployment steps, enable HTTPS, set a short max-age value, and gradually increase it as you confirm stability, ensuring all settings are correct before preloading.