Free Tool
HSTS Checker
Test your Strict-Transport-Security header and see whether your HTTPS enforcement is configured safely for modern browsers.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Header Presence
Detects whether the Strict-Transport-Security response header is present on HTTPS responses.
Max-Age Strength
Checks whether the policy duration is long enough for production protection.
Subdomain Coverage
Reviews includeSubDomains usage and explains when it is safe to apply across all subdomains.
Preload Readiness
Highlights the requirements usually needed before submitting a domain to browser preload lists.
Recommended Baseline
Header
Strict-Transport-Security should be sent over HTTPS responses only.
Max-Age
Use a long production max-age such as 31536000 after testing.
Subdomains
Use includeSubDomains only when every subdomain supports HTTPS.
Preload
Add preload only after confirming HTTPS coverage and operational readiness.
FAQ
What is HSTS?
HSTS stands for HTTP Strict Transport Security. It tells browsers to only connect to your domain over HTTPS for a defined period, reducing downgrade and SSL stripping risks.
What is a good HSTS max-age value?
A common production baseline is max-age=31536000, which equals one year. Test shorter values first if you are still validating HTTPS across all subdomains.
Should I enable HSTS preload?
Only enable preload when all subdomains support HTTPS reliably and you understand the long-term commitment. Preload is powerful, but mistakes can break access to subdomains.
Does HSTS replace HTTPS redirects?
No. You should still redirect HTTP to HTTPS. HSTS makes browsers enforce HTTPS after they have seen the header, while redirects handle first-time visits and non-HSTS clients.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.