HSTS preload eligibility

Per hstspreload.org submission requirements

Checks a domain against all hstspreload.org submission requirements (max-age >= 1 year, includeSubDomains, preload, HTTP-to-HTTPS redirect).

What is this, and when do I need it?

What is this?

HSTS preload is the browser's "memorize this domain as HTTPS-only forever" mechanism: Chrome, Firefox, Safari and Edge ship a baked-in list of domains that must never be loaded over HTTP - even before any handshake. To get onto the list you submit your domain at hstspreload.org; the site checks four hard requirements automatically and rejects everything else.

This tool runs the same four checks (HTTPS reachable, HSTS header with max-age >= 1 year, includeSubDomains, preload, and a HTTP → HTTPS redirect on port 80) plus a verdict, so you can fix the gaps before submitting.

When do I need it?

Use before submitting to hstspreload.org, after a TLS cert or CDN migration that might have dropped the HSTS header, or as a periodic sanity check that the HTTP-to-HTTPS redirect on port 80 is still wired up. Removal from the preload list is a months-long process - getting the configuration right before submission saves a lot of pain.

Server path: we open one HTTPS and one HTTP connection to the apex domain and read headers / redirect Location. We log neither domain nor result. At most 12 requests per minute per IP subnet.

Examples: ·