How long does it take to get on the HSTS preload list?

After submission at hstspreload.org, it takes 2-3 months to appear in Chrome stable, followed by Firefox and Safari stable releases.

Can I remove my domain from the HSTS preload list?

Yes, but removal takes 6-12 months. Only submit if you are certain all subdomains will support HTTPS permanently.

Do I need the preload directive to use HSTS?

No. HSTS works without preload — the preload directive only signals intent to be on the preload list. Basic HSTS just needs max-age.

How to Check If Your Domain Is on the HSTS Preload List

Updated April 2026

The HSTS preload list is a hardcoded list of domains built into Chrome, Firefox, Safari, and Edge. If your domain is on it, HTTPS is enforced before the browser makes any request — closing the gap that HSTS alone cannot close.

Check your domain now → HSTS Preload Checker

What the HSTS preload list is

Normally, HSTS (Strict-Transport-Security) only works after the browser has visited your site once and received the HSTS header. On the very first visit — or after clearing browser data — the browser might connect over HTTP first, creating a window for a downgrade attack.

The preload list eliminates this window. Domains on the list are hardcoded into browsers — HTTPS is enforced even on the absolute first visit, before any HTTP request is made.

How to check your status

The fastest way is the HSTS Preload Checker — paste your domain and it queries the preload list API and your live HSTS header simultaneously:

HSTS Preload Checker →

You can also check manually via the API:

curl "https://hstspreload.org/api/v2/status?domain=yoursite.com"
# Returns: {"status": "preloaded"} or {"status": "unknown"}

Status meanings

Status	Meaning	Action
preloaded	Domain is in the list — all browsers enforce HTTPS	Nothing required
pending	Submitted but not yet in browser releases	Wait 2–3 months for Chrome stable
unknown	Not on the list	Check requirements below

Requirements to get listed

Valid HTTPS certificate on the domain
All HTTP traffic redirected to HTTPS
HSTS header with max-age of at least 31536000 (1 year)
includeSubDomains directive present — all subdomains must support HTTPS
preload directive present — signals intent to be preloaded

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The ramp-up process

Do not add includeSubDomains and preload immediately. If any subdomain does not support HTTPS, users will be locked out. Ramp up gradually.

Start with a short max-age (e.g. 300 seconds) to verify HTTPS works
Ensure all subdomains support HTTPS
Increase max-age to 1 year
Add includeSubDomains
Add preload directive
Submit at hstspreload.org
Wait 2–3 months for inclusion in Chrome, Firefox, Safari stable releases

How long does it take?

After submission, it typically takes 2–3 months before your domain appears in Chrome stable, Firefox stable, and Safari stable. The list is compiled into each browser release — there is no way to speed this up.