HSTS Test
Check whether a site sends HTTP Strict Transport Security and review its directives.
Powered by Geekflare Website Load Time API
What Is an HSTS Test?
HSTS Test checks whether a website sends the Strict-Transport-Security response header. HSTS tells browsers to use HTTPS for future visits, which helps protect users from protocol downgrade and cookie hijacking attacks.
Directives Checked
| Directive | Why It Matters |
|---|---|
| max-age | How long the browser should remember to use HTTPS. This tool warns when it is below 30 days. |
| includeSubDomains | Applies the HSTS policy to subdomains. Use it only when every subdomain supports HTTPS. |
| preload | Optional directive used when preparing a domain for browser preload list submission. |
How to Read the Results
If the HSTS header is missing, browsers will not automatically pin the site to HTTPS after the first visit. If the header is present but max-age is short, the protection window may be too small for production use.
includeSubDomains and preload are shown as advisories because they are powerful and should be enabled only when your full domain and subdomain setup is ready.
Frequently Asked Questions
HSTS tells browsers to use HTTPS for future visits to a site, reducing exposure to protocol downgrade and cookie hijacking attacks.
A production HSTS policy should usually use a long max-age. This tool warns when max-age is below 30 days.
No. preload is optional unless you intend to submit the domain to the browser HSTS preload list. It is shown as an advisory.