HSTS Preload Checker
Check if your domain is on the HSTS preload list built into browsers. Verify your current HSTS header, see which requirements you meet, and get the exact config to qualify.
What is the HSTS preload list?
A hardcoded list of domains built into Chrome, Firefox, Safari, and Edge that must always be accessed over HTTPS. When your domain is preloaded, HTTPS is enforced on the very first ever visit — before the browser has seen any header from your server. This closes the gap HSTS alone cannot close (the first visit over HTTP).
Requirements to be listed: valid HTTPS, all HTTP redirected to HTTPS, HSTS header with max-age ≥ 31536000, includeSubDomains, and the preload directive. Submit at hstspreload.org →
A hardcoded list of domains built into Chrome, Firefox, Safari, and Edge that must always be accessed over HTTPS. When your domain is preloaded, HTTPS is enforced on the very first ever visit — before the browser has seen any header from your server. This closes the gap HSTS alone cannot close (the first visit over HTTP).
Requirements to be listed: valid HTTPS, all HTTP redirected to HTTPS, HSTS header with max-age ≥ 31536000, includeSubDomains, and the preload directive. Submit at hstspreload.org →
See also: SSL certificate chain guide
You might also need
Done with this tool?
20 HTTP checks before you ship — security, CORS, cache, redirects, staging.
See also: TLS cipher suite guide