What happens if I add includeSubDomains but a subdomain is HTTP-only?

After HSTS is cached, browsers will refuse to connect to that subdomain over HTTP and show a hard error with no bypass option. Test all subdomains over HTTPS before adding includeSubDomains.

Is the preload directive part of the HSTS standard?

No. The preload directive is not part of RFC 6797. It is specifically for preload list submission and has no effect without submitting at hstspreload.org.

What max-age value should I use?

At least 31536000 (1 year) is required for preload submission. Most sites use exactly 31536000.

HSTS Preload List Requirements

Updated April 2026

The HSTS preload list has strict requirements. Miss any one of them and your submission will be rejected. Here is exactly what you need before submitting at hstspreload.org.

Check your domain meets requirements → HSTS Preload Checker

The five requirements

1. Valid HTTPS certificate

Your domain must serve a valid, trusted TLS certificate. Self-signed certificates do not qualify. Free certificates from Let's Encrypt qualify.

2. HTTP redirects to HTTPS

All HTTP requests must redirect to HTTPS. The redirect must be a 301 (permanent) redirect, not a 302. Check with:

curl -sI http://yoursite.com | grep -i location

3. HSTS header with max-age ≥ 31536000

The Strict-Transport-Security header must have a max-age of at least 31536000 seconds (1 year). Shorter values will be rejected.

Strict-Transport-Security: max-age=31536000

4. includeSubDomains directive

Every subdomain of your domain must also support HTTPS. The preload list applies to the entire domain tree — not just the apex domain. If any subdomain serves only HTTP, users will be locked out after preloading.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Before adding includeSubDomains: Run a DNS audit to find all subdomains. Test every one over HTTPS. Subdomains like mail.yoursite.com, dev.yoursite.com, and api.yoursite.com must all work over HTTPS.

5. preload directive

The preload directive signals your intent to be on the preload list. It is not part of the HSTS standard — it is specifically for preload submission. Adding it without submitting does nothing, but submitting without it causes rejection.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Full Nginx config

server {
  listen 443 ssl;
  
  # Only set HSTS on HTTPS responses
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

server {
  listen 80;
  return 301 https://$host$request_uri;  # Redirect HTTP to HTTPS
}

Cloudflare

Cloudflare Dashboard → SSL/TLS → Edge Certificates → HSTS → Enable, set max-age to 12 months, enable includeSubDomains and preload. Do not enable until all subdomains support HTTPS.

Verification checklist before submitting

☐ Valid HTTPS certificate (check at HeadersFixer)
☐ HTTP redirects to HTTPS with 301
☐ HSTS header present on HTTPS responses
☐ max-age ≥ 31536000
☐ includeSubDomains present
☐ preload present
☐ All subdomains tested over HTTPS
☐ No subdomains serving HTTP-only content

After submission

Submit at hstspreload.org. Your domain will enter a queue and be included in the next Chrome release, followed by Firefox and Safari. This takes 2–3 months. Status can be checked via the API or the HSTS Preload Checker.

Removal is slow: Once on the preload list, removal takes 6–12 months. Be certain all subdomains will support HTTPS permanently before submitting.